Dan Kaminsky, a security researcher has announced that he has found a major design flaw in DNS that could possibly lead to mass exploitation of caching DNS servers by allowing attackers to poison the DNS cache with their own entries. You can read his notes on his blog post.
There have already been hundreds of articles from different media outlets over the last few days about this. Dan has clearly said that he has found a new DNS flaw although some people speculate that he is re-hashing previous security findings about the weakness in non-random udp source ports and TXIDs. It won’t be until August that Dan reveals the details of this exploit that people can try to debunk his claim.
Paul Vixie, the primary author of BIND, wrote this on a mailing list recently, supporting Dan’s claims:
this is not a decade old problem. it’s either as old as dns, or four months
old, depending on how you count. somebody reminded me that i was one of the
earliest to ring an alarm bell on this, in a very weak, terrible 1995 paper:
in 2002 i also attempted to demystify BCP38 since we all know that without
IP source address repudiability, no noncrypto UDP based protocol is safe:
so, patrick and others, let me assure you, having been here all along and
having done what i could to secure the DNS QID for ~1.5 decades, i am aware
of the details of dan kaminsky’s attack, and it will be news on august 6,
and it justifies every bit of pain and panic involved in randomizing all UDP
source ports on DNS transactions between recursive and authority servers.
and let me take another opportunity to thank dan bernstein for coming up
with the idea of UDP source port randomization for DNS transactions. we
know it works and we’re pushing hard to get it universally deployed. (while
i’d rather have Secure DNS, the community could not possibly deploy that
fast enough, so we’re doing what we can while we can.)
so, you should fix it NOW NOW NOW!
We have already updated our caching DNS servers with the new patched code. You should check to make sure that your servers are using caching DNS servers that have been patched with these latest updates.