Paranoid Penguin - DNS Cache Poisoning, Part I
As scary as Dan Kaminsky's cache poisoning attack is, the short-term fix is simple: make DNS server software send its DNS queries from random UDP source ports, rather than using UDP port 53 or some other static, predictable port. Prior to 2008, BIND, Microsoft DNS Server and other DNS server packages would send all DNS queries from a single port. This meant that to spoof replies to DNS queries, the attacker needed to know only what type of DNS software the target server was running to know what UDP port to use as the destination port for spoofed reply packets.
Randomizing query source ports thus makes spoofers' jobs much harder: they either have to eavesdrop network traffic and observe from what port a given query originates or send lots of spoofed replies to many different ports in the hope that one of them is “listening” for the reply. Thus, in the context of Kaminsky's cache poisoning attack, selecting a random source port from a pool even as small as 2,048 possible ports makes it exactly 2,048 times harder for attackers to guess what a valid DNS reply packet should look like, than if they have to guess only the correct Query ID!
Sure enough, before Kaminsky publicly announced the details of his attack, he convinced DNS server software vendors to issue patches that made their respective products randomize DNS query source ports, and now in 2011, this is the way DNS servers behave by default. This was only a partial fix, however. It's still possible to make Kaminsky's attack work; it just takes much longer.
A better fix is to sign DNS zone data cryptographically, so that recursing nameservers can validate DNS replies. This is possible with the DNSSEC extension to the DNS protocol, and DNSSEC will be the subject of the next column or two.
Having described DNS recursion and cache poisoning attacks in gory detail, next time, I'll begin showing you how to enable DNSSEC on your own (BIND-based) recursing nameserver, so that it checks the signatures of any signed DNS data it comes across. Until then, make sure your DNS software is fully patched, try not to worry too much, and be safe!
Linux Server Security, 2nd Edition by Mick Bauer, Sebastopol, CA: O'Reilly Media, 2006.
“An Illustrated Guide to the Kaminsky DNS Vulnerability” by Steve Friedl, Unixwiz.net Tech Tips: unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html
“DNS Vulnerability: An Exclusive Interview with Cricket Liu” by Greg Ness, Archimedius: gregness.wordpress.com/2008/07/23/dns-vulnerability-an-exclusive-interview-with-cricket-liu
Birthday Problem: en.wikipedia.org/wiki/Birthday_paradox
“Understanding Kaminsky's DNS Bug” by Cory Wright: www.linuxjournal.com/content/understanding-kaminskys-dns-bug
Mick Bauer (email@example.com) is Network Security Architect for one of the US's largest banks. He is the author of the O'Reilly book Linux Server Security, 2nd edition (formerly called Building Secure Servers With Linux), an occasional presenter at information security conferences and composer of the “Network Engineering Polka”.
- Readers' Choice Awards 2013
- Mars Needs Women
- RSS Feeds
- Sublime Text: One Editor to Rule Them All?
- December 2013 Issue of Linux Journal: Readers' Choice
- Raspberry Pi: the Perfect Home Server
- IBM Will Minimize Impact of Future Disasters
- Tech Tip: Really Simple HTTP Server with Python
- Linux Systems Administrator
- Senior Perl Developer
- This should be very helpful
3 min 2 sec ago
- As much as I share your point
2 hours 22 min ago
- So girls had it better ?
5 hours 54 min ago
- Reply to comment | Linux Journal
6 hours 14 min ago
- why is GNOME 3 in the fifth position at 14.1 %?
11 hours 46 min ago
- Sublime Is Brilliant!
16 hours 49 min ago
17 hours 9 min ago
- Rapid[Disk,Cache] better than native ram caching?
17 hours 34 min ago
- Nothing is perfect
17 hours 47 min ago
- Mixtapes Community
23 hours 26 min ago