Re: DNS Guess 2 for the day

["piggly wiggly" <pigglydwiggly () gmail com>]

> From http://wari.mckay.com/~rm/dns_theroy.txt :


So I have a theory on what it is that Dan Kaminsky may have discovered
that is broken with DNS (it was already _so_ broken, what else could be
wrong?!)

Basically it has to do with ICMP packets (spoofed ICMP unreachables sent
in response to DNS packets the attacker can't see, but can guess - thanks
to non-random port selection).

The biggest problem with spoofing DNS at the moment is that you need
to silence the real nameservers in order to get your fake replies in.

For an ICMP response to be valid, it must contain the IP header of the
packet it is a reponse too, but it also must contain 64bits of the data
payload. The reason for requiring 64bits of the payload is to prevent
people from spoofing ICMP replies to packets they have not received. In
the case of a DNS packet, that payload is the first 64 bits of the UDP
header.

What is in the first 64bits of the UDP header? The source and destination
ports of the DNS servers. If these are easily predictable then you can
spoof an ICMP unreachable response to a dns query or reply without
actually receiving it.

If you can spoof ICMP; You can prevent the recursor from communicating
with the real nameserver. This will make it very very easy to spoof DNS as
it removes the biggest hurdle; that of silencing the real nameservers. It
only takes about 2min on a 10mbit/s connection to run through all 65536
possible sequence numbers so if you can prevent the recursor from talking
to the real nameservers it really is easy as pie.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave