Saturday, February 23, 2008

BIND 9 DNS Cache Poisoning (Trusteer.com)

BIND 9 DNS Cache Poisoning (Trusteer.com) March-June 2007
The paper shows that BIND 9 DNS queries are predictable – i.e. that the source UDP port and DNS transaction ID can be effectively predicted. A predictability algorithm is described that, in optimal conditions, provides very few guesses for the "next" query (10 in the basic attack, and 1 in the advanced attack), thereby overcoming whatever protection offered by the transaction ID mechanism. This enables a much more effective DNS cache poisoning than the currently known attacks against BIND 9. The net effect is that pharming attacks are feasible against BIND 9 caching DNS servers, without the need to directly attack neither DNS servers nor clients (PCs). The results are applicable to all BIND 9 releases [1], when BIND (the named daemon) is in caching DNS server configuration.

read the whole article:
http://www.trusteer.com/docs/bind9dns.html

Download PDF version

No comments: