[kwlug disc.] DNS security threat
Bob Jonkman
bjonkman at sobac.com
Tue Aug 5 03:00:49 EDT 2008
And that other record can be for the name server itself. In other words,
not only can the exploit return a false answer for the request, it can set
the name server to a compromised server for all subsequent queries.
The patches randomize the request port. This doesn't fix the problem, but
makes it more difficult to execute. There's some dependency on the speed
of the connected DNS server as well -- the faster the connection, the more
bogus requests an attacker can get in. This is one reason why this
exploit is feasible today -- the timing with gigabit ethernet makes it
possible; the timing with 10 Mbps ethernet (or dialup!) made it nearly
impossible.
Dan Kaminsky presents at Black Hat on Wednesday at 11:15 -0700 (PDT, Las
Vegas time; 08:15 -0400 EDT, our time). I can find no live feed for this.
http://www.blackhat.com/html/bh-usa-08/bh-usa-08-speakers.html#Kaminsky
Kaminsky also participated in a panel on 24 July 2008; podcast at:
https://www.blackhat.com/html/webinars/blackhat-webcast-2-july-08.mp3
(I remember when the Black Hat conference was a back-room activity of
DefCon -- when did Black Hat become the predominant conference?)
--Bob.
On 1 Aug 2008 at 16:39, Rashkae wrote:
> For reasons that are a bit beyond my personal understanding, it's part
> of the DNS standard that a Authorative server can include records for
> other hosts as part of it's reply to a query. The real flaw is in the
> protocol itself, and this patch is only a sloppy band-aid.
>
-- -- -- --
Bob Jonkman <bjonkman at sobac.com> http://sobac.com/sobac/
SOBAC Microcomputer Services Voice: +1-519-669-0388
6 James Street, Elmira ON Canada N3B 1L5 Cel: +1-519-635-9413
Software --- Office & Business Automation --- Consulting
More information about the KWLUG-Disc
mailing list