Date: Mon, 4 Aug 2008 18:22:46 -0400 From: Robert Edmonds To: dns-operations Subject: [dns-operations] release of ISC SIE cache poisoning attempt detection tool hi, ISC SIE has developed a tool for detecting cache poisoning attempts. it consists of two parts: ncaptool, the part which performs packet gathering, reassembly, and dns filtering; and mod_urstate, a message processing module which attempts to statefully detect unsolicited responses that may be indicative of cache poisoning attempts.

This page provides information relating to CERT VU #800113. Please write to Admin if you have corrections or additions.

Timeline of Events

?, 2008

Dan Kaminsky stumbles upon a serious problem in the DNS protocol that makes poisoning easier than most everyone previously thought.

March 31, 2008

DNS Summit at Microsoft's offices to discuss the problem and solutions.

A number of people have been asking for a way to check transaction ID randomness, in addition to source port randomness. OARC's porttest tool has now been expanded to also report on transaction IDs. To use it, issue a TXT query for the name txidtest.dns-oarc.net.

CERT and numerous vendors are making a major announcement today regarding a DNS protocol vulnerability that may enable cache poisoning of recursive resolvers. From the CERT page:

Recent additional research into [DNS defects and deficiencies] and methods of combining them to conduct improved cache poisoning attacks have yielded extremely effective exploitation techniques.

Within a day of ICANN's gTLD announcement, ZDNet reports that a Turkish hacking group has hijacked domain names belonging to IANA and ICANN. Interestingly, only thier "alternative" names were hijacked. For example, ICANN.COM and ICANN.NET were, but ICANN.ORG was not. Similarly, IANA.COM was, but IANA.ORG was not.

Yesterday, during their meeting in Paris, ICANN announced a change in their policy for adding new generic TLDs to the DNS.