Looked into this a little more... wondering if this is a problem for client (end-user) machines or not. Eg, can the spoofing be individually targeted?

See, my initial summary was slightly too simplified. Rather than a 'central' name server, there's actually hierarchies of domain name servers that process name-to-number requests. For example, there might be one inside your company's network, that connects to one at the ISP, that connects to the network of centrally-managed DNS servers.

Each of these layers of servers 'cache' the results of name-to-number requests, so they don't have to keep passing the same request up the chain. The exploit is a combination of 'cache-pollution' attacks that invalidate those caches so requests are re-issued, and a packet-spoofing technique to insert invalid (redirected) name-to-number results.

So, is this packet spoofing only applicable between different layers in the DNS hierarchy (server-to-server), or can it also be applied to individual client results (client-to-server)? Anyone know? Regardless, just patching your local machine isn't enough.

Originally posted by Ian McLean
Looked into this a little more... wondering if this is a problem for client (end-user) machines or not. Eg, can the spoofing be individually targeted?

The chances of that are very slim. Unless they have and use their own DNS server and it gets poisoned, instead of an ISP's or public/open DNS server, I don't see how can someone can be individually targeted.

So, is this packet spoofing only applicable between different layers in the DNS hierarchy (server-to-server), or can it also be applied to individual client results (client-to-server)? Anyone know?

The target of this are obviously DNS servers. The clients will get 'contaminated' once they ask the DNS server to resolve something that happens to be poisoned on that DNS server.

Regardless, just patching your local machine isn't enough.

Yeah. If you patch your local machine but the DNS servers you use don't get patched, and get poisoned, the patch on your local machine won't do you any good.

I'm guessing that the patch for client machines (people not running DNS servers) is just so that the resolver (DNS client) uses the new techniques (stronger DNS Query IDs & random UDP port queries) when contacting DNS servers, but the crucial thing is patching DNS servers.

Originally posted by astronomine
If this hole was found, what others are out there?

Oh I guarantee there are at least tens of thousands of more security holes to be discovered, especially in windows based servers and software.

Security holes are found almost daily in windows software. Luckily, the anti-virus and firewall companies usually find them first.

Funny how security companies stay in business because of the security issues with windows.


This is why I certainly don't look forward to windows native firewalls taking over where private firms used to control. I really don't think Microsoft is up to the task.

Originally posted by johnsky
Oh I guarantee there are at least tens of thousands of more security holes to be discovered, especially in windows based servers and software.

This one is more serious because the flaw is in the DNS protocol, affecting all operating systems in essence.

But this sort of attack, DNS poisoning, is not new. It has been around since 1990 basically. After that they addressed it and plenty of fixes were introduced in BIND and other DNS servers, but should have modified the protocol altogether at that time to fix it permanently.

Luckily, the anti-virus and firewall companies usually find them first.
Funny how security companies stay in business because of the security issues with windows.

You bring up an interesting point.

Many people say the companies that develop the anti-virus applications are also engaged in developing news virus and worms, to keep the business going and justify updates.