Friday, July 18, 2008

Mitigating DNS Cache Poisoning Attack

There is a well known DNS vulnerability disclosed by Dan Kaminsky. The CERT advisory highlights 3 issues in the existing DNS infrastructure:
  1. Lack of sufficient randomness in the selection of source ports for DNS queries.
  2. DNS transaction ID values that also exhibit insufficient randomness.
  3. Multiple outstanding requests for the same resource record.
There is an easy way to thwart the attack for those DNS servers that are protected either by Linux IPTables or OpenBSD PF, without patching the DNS server (which is preferable of course).