DNS cache poisoning made easy
Filling a DNS server’s cache with fake records just got a whole lot easier. Two flaws in the BIND domain name server (DNS) software were announced today that make the normally hit-or-miss practice of stuffing name servers full of false info into a sure thing.
“This is a powerful attack, as it retracts the security of BIND 9 to almost where it was over a decade ago,” says the “executive summary ” from the group who published the flaw. All versions of BIND 9.x are affected, which is what the majority of DNS servers on the Internet are running.
The worst flaw gives attackers a “1 in 8 chance of guessing the next query id for 50% of the query ids” coming from a DNS server, which are excellent odds. The attacker only has to get a victim’s DNS server to query a domain hosted on server he controls (e.g. by sending email to the victim’s SMTP server, causing it’s spam filters to do a lookup on the attacker’s domain). Then it’s just a matter of predicting the next query ID to send spoofed answers to the victim DNS and suddenly update.microsoft.com starts resolving to an IP in Siberia.
New versions of point releases in the BIND 9.x series are available that fix the flaws. You need BIND 9.2.8-P1, BIND 9.3.4-P1, BIND 9.4.1-P1 or BIND 9.5.0a6.
A decade ago when I first started working in Internet security I would’ve been very excited by this kind of flaw: an easy exploit that affects pretty much the entire Internet… the phishers and other criminals are going do lots of damage with this. However now I’ve seen too many major organizations (especially government) who still haven’t taken even basic steps to secure their name servers : they’re still running ancient versions of BIND, allowing recursive queries from outside, no split DNS, and so on. This predicable query ID issue is nasty, but in reality it’s so far down the list of issues for most organization’s DNS infrastructure that it’s hard to get too excited about it.
Related posts: