Kris Kaspersky says DNS patches are useless

August 11, 2008 by Adrian
Filed under: Security 

The latest security patches designed to prevent DNS spoofing, don’t work. Effective attacks against DNS are still possible. This document summarizes the DNS name server attack and the client’s resolver (the stub),as related to: BIND9, PowerDNS, DJBDNS, MS XP/Server 2003/Server 2008. Kris Kaspersky has analyzed the patches and discovered that they’re almost useless and do not fix the real attack vector. In short the patched systems perform two things:

 

1.) They randomize the transaction ID (TXID) and the source port number (SP#) as best as they can. Unfortunately, they can’t! Most systems use extremely weak and predictable pseudo-random algorithms;

 

2.) They change the DNS cache behavior. Some systems just turn the cache off, which causes negative side-effects, including performance degradation and weakened protection. This results because the more outgoing DNS requests, the greater chance the system gets a faked DNS reply;

 

Port randomization doesn’t solve the problem (see “port exhausting” attack scenario) and TXID is still quite predictable. In general, a dozen faked DNS replies are enough to hack the victim. Cache behavior changing reduces the impact of the DNS poisoning, but doesn’t prevent DNS spoofing. To protect systems against DNS attacks we have to know how they work.

 

Full Story

Tags: , , ,

Comments

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!