[DNS] DNS Cache Poisoning Vulnerability

[DNS] DNS Cache Poisoning Vulnerability

From: Kim Davies <kim§cynosure.com.au>
Date: Thu, 7 Aug 2008 14:52:21 -0700
Hi folks,

A number of you have likely heard about this already, but just in case
not, this is a fairly serious issue that deserves a few minutes of
attention.

Recently, it was discovered that the amount of entropy in DNS queries is
relatively low in typical DNS software implementations, making the
ability to spoof answers a fairly trivial exercise that can take as
little as a second. This can be used to poison DNS caches, and
ultimately introduce false data into the DNS.

This is important on two distinctly different fronts:

1) Recursive name servers should have the maximum amount of entropy
   to provide the strongest resistance to spoofed DNS responses. This won't
   solve the problem, but helps mitigate the risk. There are
   patches for BIND etc. now available to randomise the source port of
   queries to aid this. To test a recursive name server you can use
   the tool at

   https://www.dns-oarc.net/oarc/services/dnsentropy

2) For domain registrants, the authoritative name server for your
   domain can be affected if they also offer recursive name service.
   The effects of cache poisoning can therefore introduce false
   data into your zone. To test for vulnerable servers, there is a
   new tool at

   http://recursive.iana.org/

   The solution to this problem is to separate recursive and
   authoritative name service from one another.

There is also an FAQ, focused on part 2, at
http://www.iana.org/reports/2008/cross-pollination-faq.html

cheers,

kim
Received on Thu Aug 07 2008 - 14:52:21 UTC

This archive was generated by hypermail 2.3.0 : Wed Oct 01 2014 - 04:00:22 UTC