DENIC Recommends Software Update Due To Security Hole in DNS Resolvers
Recently, all well-known producers of DNS software and various Incident Response Teams (CSIRTs) have drawn attention to a current problem with the DNS, which provides the basis for third parties to sneak in forged information to name servers. With the explications below DENIC wants to inform about the background of the situation, give its own view of the problem and point out potential measures that can be taken by operators of name servers.
The weak point described can be found in many recursive name servers. It concerns programs that resolve computer names to IP addresses. The corresponding information is not only transmitted directly to the requesting program (a web browser, for example) but stored in the interim store of the name server, the so-called cache, for a limited period. This hole enables invaders to spoof in manipulated data in the cache of unprotected recursing name servers. Since the content is, metaphorically speaking, “poisened”, this is called “cache poisoning”.
The goal of such an attack may be to divert Internet users to fake webpages (similar to the so-called pishing) without the user having to follow a forged URL. As a result, the invader possibly comes to know user IDs and passwords or other valuable information.
At present, DENIC is not in the position to give any information on the actual method of attack. Dan Kaminsky, a safety expert, who already has repeatedly published papers on the DNS, will explicate the details at the Blackhat Conference on 6 August 2008.
Cache poisoning in general has been a well-known problem in the field of DNS for quite some time. It is due to the DNS structure. Diverse methods have been developed to make resolvers harder and thus the software more resilient against attacks. As a result, occurrences where cache poisoning played an important role have not been reported for a long time. To fight the current problem, all producers of name servers have quickly published patches for their systems that make it much more difficult for the attackers to “poison” the name server cache with fake IP addresses. The solution is the so-called “source port randomization”. This means that the port from which the resolver sends its query is chosen at random. Consequently the attacker must not only find out the correct transaction number of the query but also the correct port to be able to place its manipulated reply in the cache.
Although there is not yet any proof that the security hole is actually being utilized, the public discussion about the matter may make it ever more probable. Therefore DENIC recommends all operators of recursive name servers, in the interest of the users and the safety and stability of the DNS as a whole, to contact their software suppliers and to update the programs they use to the latest version as soon as possible.