An Illustrated Guide to the Kaminsky DNS VulnerabilityAugust 10, 2008 – 7:40 AM
The big security news of Summer 2008 has been Dan Kaminsky’s discovery of a serious vulnerability in DNS. This vulnerability could allow an attacker to redirect network clients to alternate servers of his own choosing, presumably for ill ends.
This all led to a mad dash to patch DNS servers worldwide, and though there have been many writeups of just how the vulnerability manifests itself, we felt the need for one in far more detail. Hence, one of our Illustrated Guides.
This paper covers how DNS works: first at a high level, then by picking apart an individual packet exchange field by field. Next, we’ll use this knowledge to see how weaknesses in common implementations can lead to cache poisoning. By fully understanding the issues at play, the reader may be better equipped to mitigate the risks in his or her own environment. We hope everybody who runs a DNS server patches soon.