Question: 2nd Exploit for DNS Cache Poisoning

* Jack Bates · * Thu Jul 24 15:52:50 2008

Tuc at T-B-O-H.NET wrote:

	The new one is called "baliwicked_domain" and its described
as :
This exploit attacks a fairly ubiquitous flaw in DNS implementations which
Dan Kaminsky found and disclosed ~Jul 2008. This exploit replaces the target

domains nameserver entries in a vulnerable DNS cache server. This attack works

by sending random hostname queries to the target DNS server coupled with spoofed

replies to those queries from the authoritative nameservers for that domain.

Eventually, a guessed ID will match, the spoofed packet will get accepted, and

the nameserver entries for the target domain will be replaced by the server

specified in the NEWDNS option of this exploit.

All this sounds good and dandy, but I'm not sure the guessing is the problem.
Why is a resolver replacing an existing cached entry with a new entry? If the
entry changes, at most, the resolver should be removing it from cache. In this
regards, the exploit would not only have to hit it once, but twice, and they'd
have to manage the exploit *BEFORE* the official server returned it's own
authority records for caching.
While I agree the source port is a good thing (and reduces poisoning issues even
when an authoritative server isn't responding), I question if it can actually
succeed at beating the authoritative domain's NS reliably, and if it is
overwriting a cache, if the more exploitable issue is the cache overwrite versus
staling the entry from cache early and letting the next query request from the
authoritative server.
I'm just curious. It doesn't make much sense.
Jack Bates

Question: 2nd Exploit for DNS Cache Poisoning - RELEASED