Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Dan Kaminsky's DNS bug: revealed? - Patch! - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Dan Kaminsky's DNS bug: revealed? - Patch!

It seems the cat might be out of the bag regarding Dan Kaminsky's upcoming presentation at Blackhat.

Since this now means the bad guys have access to it at will -I found the speculations using Google, I'm sure they have done so already-, the urgency of patching your recursive DNS servers just increased significantly. There seems to be some effort underway to put the cat back in the bag, but I strongly doubt that'll work.

To describe it for defensive use by those operating recursive DNS servers: The descriptions I found would make you look for signs of attack using this technique in DNS queries for significant amounts of nonexistent subdomains that try to poision the parent using a glue record.
Those operating authoritative servers should be able to monitor for increased/excessive queries into nonexistent names from a single source, but there's little they can do beyond trying to warn the operator of the recursive server.

Since I wasn't briefed by Dan Kaminsky, I've no way of knowing if the theories that are out there are in fact what was going to be presented at Black Hat, so it might still be different.

Still, while fixing this might not be so trivial, an upgrade or patch of all recursive DNS servers is what's really needed at this point. So if you were still waiting for an excuse, this one is it: PATCH NOW.
Take care as performance issues exist in e.g. BIND with some of the patched versions, and e.g. ISP operated recursive servers do take quite a bit of load ...

Swa Frantzen -- Section 66


760 Posts
Jul 22nd 2008

Sign Up for Free or Log In to start participating in the conversation!