root labs rdist

July 21, 2008

DNS “novice” discovers secret flaw

Filed under: Security — Nate Lawson @ 12:19 pm

Being his usual humble self, Halvar casually discovers what I think is Dan Kaminsky’s DNS flaw.  The Register has a story that quotes me on this.  While I’m not certain it is the same attack, I’m moderately confident it is.

Note that neither Halvar nor I was part of the secret briefing Dan gave to researchers.  I didn’t receive that inside information and believe Halvar didn’t either.  This reinforces the perspective that information about a bug should be revealed quickly, given the likelihood that another party might rediscover it.  It’s possible a black hat hacker even beat Halvar, even though he’s very smart.

The debate about full or partial disclosure is really all about control.  In this case, the information about the patch (randomize source port and double check the randomization on TXID) was enough to independently rediscover the attack.  Even though there is not a direct connection between the attack and the patch, knowing that it was possible was enough.  Once the information was out there, Dan and the vendors had given up control.

So, patch your servers and back to business as usual…

5 Comments

  1. Here is why it works:

    Malory wants to poison the server ns.polya.com

    Malory sends NS requests for ulam00001.com, ulam00002.com … to ns.polya.com.

    Malory then sends a forged answers, saying that the NS for http://www.ulam00002.com is ns.google.com *AND* puts a glue record saying that ns.google.com is 66.6.6.6

    Because the glue records corresponds with the answer record, (same domain) the targetted nameserver will cache or replace it’s curent record of ns.google.com to be 66.6.6.6

    Comment by Icelander — July 22, 2008 @ 1:59 am

  2. Halvar should be credited with the discovery. This should be Dan’s punishment for trying to hog all of the attention himself.

    Comment by anon — July 22, 2008 @ 9:22 pm

  3. Dan recommended OpenDNS “if you have to”. Is there any reason home users shouldn’t bypass their slow-to-react ISP’s and use OpenDNS? Mine, AT&T dsl still hasn’t patched.

    Comment by Joe — July 23, 2008 @ 3:21 pm

  4. Hey anon, allow me to quote from Halvar’s blog:

    “Guessing how something is done knowing it can be done is easy. Dan did the hard part: Coming up with a clever attack in a protocol that is relied on everywhere. My guess doesn’t come close to comparing to what Dan has done: He spotted something that everyone else missed beforehand. He also handled the entire situation with a lot of endurance, patience, and determination. We disagree on whether people have a right (or even duty) to discuss what the issue might be, but that doesn’t mean that I do not have the greatest respect for Dan. And his talk will contain much more of interest than my silly 30 lines.”

    Get a life.

    Comment by anon squared — July 23, 2008 @ 5:17 pm

  5. Joe, OpenDNS is fine as an easy-to-use option. I personally have been using djb’s dnscache on my home router, which is also safe against this attack if you don’t configure it to use vulnerable DNS servers like your ISP’s.

    Comment by Nate Lawson — July 31, 2008 @ 11:42 am


RSS feed for comments on this post.

The Rubric Theme Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 81 other followers