Researcher attempts to unravel Kaminsky DNS flaw

A security researcher has come up with an attack method he believes could be used to exploit the recently patched DNS vulnerability

A security researcher has come up with an attack method he believes could be used to exploit the DNS flaw that was recently patched in a co-ordinated, multi-vendor effort.

A warning about the DNS vulnerability, which could allow attackers to hijack web surfing, was publicised earlier this month by researcher Dan Kaminsky. However, the details have not been made public, leading to speculation about its makeup in the security community. Halvar Flake, who is chief executive and head of research at Sabre Security, posted a hypothesis in a blog as to what the DNS flaw could be on Monday.

Flake's proposed method starts by sending 'floods' of faked requests to a nameserver, which converts text domain names into numeric IP addresses. The attacker sets up a web page with tags that point to a compromised nameserver. When a user visits that web page, the browser will try to resolve to a legitimate nameserver. However, that bona fide nameserver will then resolve the browser query to the compromised nameserver, with a specific part of the data packet poisoned. This will then poison the bona fide nameserver, and anyone who visits it from then on will unwittingly be pointed to a malicious site.

Kaminsky did not release technical details of the flaw, choosing instead to work with affected vendors so they could bring out patches. He had asked the security community not to speculate on the issue. However, Flake defended his own speaking out, saying that keeping quiet would only help "particularly bright evil" people.

"By asking the community not to publicly speculate, we make sure that we have no idea what [the time before an exploit appears] actually is. We are not buying anybody time, we are buying people a warm and fuzzy feeling," Flake wrote in a blog post.

Flake's approach combines query-identifier spoofing with records-referral set poisoning, meaning it could overcome methods for countering both types of attack. A query identifier is a 16-bit number used to identify a DNS packet, so packet transactions can be kept in the correct order.


It is possible to spoof query identifiers and use them in DNS cache poisoning. The flaw has been known about since at least 1995, but is possible to mitigate by using a strong random number generator to determine the query identifier.

Records-referral data is included in each packet to make responses effective. Records-referral set (RRset) poisoning involves hacking a DNS implementation to send out compromised records-referral data with legitimate records-referral data. RRset poisoning has been known about for over 10 years, and can be overcome by 'bailiwick checking', or having resolvers check they are not caching any new address for any website in any one transaction.

Security researcher Dan McPherson of Arbor Networks said in a blog post that this method would make a DNS poisoning attack "considerably more effective".

Matasano Security team claims to have talked to Kaminsky about the flaw. Bloggers are reporting that they saw a post on Monday by a member of the Matasano Security team saying Flake's hypothesis was correct, but this post has since been pulled, and an apology posted to say the team had made a mistaken in saying a researcher had correctly identified the DNS flaw.

Kaminsky did not confirm whether Flake had correctly guessed the flaw. However, he recommended IT administrators patch their systems immediately.

"Patch. Today. Now. Yes, stay late," wrote Kaminsky in a blog post on Monday.

Kaminsky has said he will reveal the details of the flaw at the Black Hat security conference in Las Vegas in August.