Comments on: DNS “novice” discovers secret flaw

By: Nate Lawson

Nate Lawson — Thu, 31 Jul 2008 19:42:11 +0000

Joe, OpenDNS is fine as an easy-to-use option. I personally have been using djb’s dnscache on my home router, which is also safe against this attack if you don’t configure it to use vulnerable DNS servers like your ISP’s.

By: anon squared

anon squared — Thu, 24 Jul 2008 01:17:15 +0000

Hey anon, allow me to quote from Halvar’s blog:

“Guessing how something is done knowing it can be done is easy. Dan did the hard part: Coming up with a clever attack in a protocol that is relied on everywhere. My guess doesn’t come close to comparing to what Dan has done: He spotted something that everyone else missed beforehand. He also handled the entire situation with a lot of endurance, patience, and determination. We disagree on whether people have a right (or even duty) to discuss what the issue might be, but that doesn’t mean that I do not have the greatest respect for Dan. And his talk will contain much more of interest than my silly 30 lines.”

Get a life.

By: Joe

Joe — Wed, 23 Jul 2008 23:21:03 +0000

Dan recommended OpenDNS “if you have to”. Is there any reason home users shouldn’t bypass their slow-to-react ISP’s and use OpenDNS? Mine, AT&T dsl still hasn’t patched.

By: anon

anon — Wed, 23 Jul 2008 05:22:47 +0000

Halvar should be credited with the discovery. This should be Dan’s punishment for trying to hog all of the attention himself.

By: Icelander

Icelander — Tue, 22 Jul 2008 09:59:57 +0000

Here is why it works:

Malory wants to poison the server ns.polya.com

Malory sends NS requests for ulam00001.com, ulam00002.com … to ns.polya.com.

Malory then sends a forged answers, saying that the NS for http://www.ulam00002.com is ns.google.com *AND* puts a glue record saying that ns.google.com is 66.6.6.6

Because the glue records corresponds with the answer record, (same domain) the targetted nameserver will cache or replace it’s curent record of ns.google.com to be 66.6.6.6