A number of years ago I did some simulations and measurements to show how different DNS resolvers distribute their queries to a set of authoritative servers (see PAM 2004 paper and NANOG29 presentation). At that time I tested BIND, Windows, DJBDNS, and CNS. Recently someone asked if I know the behavior for PowerDNS.

While working on the TLDmon plugins a couple of weeks ago, I noticed that a certain query to b.iana-servers.net was consistenly failing:

$ dig +bufsiz=2048 @b.iana-servers.net XN--9T4B11YI5A RRSIG

; >> DiG 9.3.5-P2 >> +bufsiz=2048 @b.iana-servers.n

In his Who Protects The Internet? article, Matt Rutherford mentions something near and dear to us as an example of hackers, er, citizens protecting the Internet:

Just look at Dan Kaminsky, a computer consultant who discovered a fundamental flaw in DNS, allowing him control over any website online. This flaw was astounding in what it gave access to – yet Dan Kaminsky didn’t turn to a government agency or organization, or abuse the hack himself.

On October 9, 2008, the U.S. National Telecommunications and Information Administration solicited public comments on the deployment of DNSSEC. Yesterday was the deadline for submission and today all of the comments have been published. Looks like slightly over 53 comments (of varying coherence) were received.

Eric Osterweil gave an interesting talk at the NANOG44 DNSSEC BOF. His data (shown below) from SecSpider indicates a significant increase in signed zones right around the time that CERT VU #800113 was released:

Last week David Conrad of ICANN asked if I could make DSC show the EDNS buffer sizes advertized by clients. This is now available in DSC versions dated after 2008-08-22.

Date: Mon, 4 Aug 2008 18:22:46 -0400 From: Robert Edmonds To: dns-operations Subject: [dns-operations] release of ISC SIE cache poisoning attempt detection tool hi, ISC SIE has developed a tool for detecting cache poisoning attempts. it consists of two parts: ncaptool, the part which performs packet gathering, reassembly, and dns filtering; and mod_urstate, a message processing module which attempts to statefully detect unsolicited responses that may be indicative of cache poisoning attempts.

This page provides information relating to CERT VU #800113. Please write to Admin if you have corrections or additions.

Timeline of Events

?, 2008

Dan Kaminsky stumbles upon a serious problem in the DNS protocol that makes poisoning easier than most everyone previously thought.

March 31, 2008

DNS Summit at Microsoft's offices to discuss the problem and solutions.

2023-06-01: This service has been deprecated in favor of Check My DNS.

A number of people have been asking for a way to check transaction ID randomness, in addition to source port randomness. OARC's porttest tool has now been expanded to also report on transaction IDs. To use it, issue a TXT query for the name txidtest.dns-oarc.net. For example, with dig:

CERT and numerous vendors are making a major announcement today regarding a DNS protocol vulnerability that may enable cache poisoning of recursive resolvers. From the CERT page:

Recent additional research into [DNS defects and deficiencies] and methods of combining them to conduct improved cache poisoning attacks have yielded extremely effective exploitation techniques.