Timeline of Events
- ?, 2008
Dan Kaminsky stumbles upon a serious problem in the DNS protocol that makes poisoning easier than most everyone previously thought.
- March 31, 2008
DNS Summit at Microsoft's offices to discuss the problem and solutions.
- July 8, 2008
CERT VU #800113 published in conjunction with patches/updates from almost all DNS vendors. Attack details are to be kept secret until August 6th.
- July 9, 2008
Kaminsky gives details to skeptical security colleages in confidence.
- July 21, 2008
A so-called security expert publicly speculates about the flaw on his blog and more-or-less gets it right. The speculation is confirmed when Matasano publishes a blog-post-in-waiting, which is later retracted. At this point the flaw is effectively leaked.
- July 23, 2008
Working exploit code is released.
- July 24, 2008
Another metasploit script is released, as well as a python implementation.
- July 30, 2008
PCWorld reports that an AT&T nameserver is poisoned, which ends up affecting the author who published the first exploit code.
- August 7,2008
Dan Kaminsky gives his talk (ppt file) at the Blackhat conference.
Tools for Testing and Monitoring
- porttest.dns-oarc.net
OARC's own porttest tool is a DNS server that will tell you if the queries coming from your resolver appear to be random. Use it with command-line tools like dig and nslookup.
- txidtest.dns-oarc.net
Very similar to porttest, except that this one reports on transaction IDs. Most DNS resolver implementations were already using random transaction IDs well before this vulnerability came out, but now you can double-check it with this service.
- OARC's Web-based entropy test
Similar to porttest and txidtest, except that the test provides more information and is done with your web browser, rather than command line tools. Another benefit to the web-based test is that you can see scatter plots of the received ports and IDs to visualize the data.
- DNS Checker at doxpara.com
Dan's DNS checker also reports on source ports and transaction IDs, although it uses fewer queries than OARC's, and requires javascript.
- Niels Provos home page
When you visit Neils' page, an image at the top will tell you if your DNS resolver is using random ports or not.
- ONZRA's CacheAudit
CacheAudit is a BSD-licensed tool that allows recursive providers to detect cache poisoning events using cache dumps from their DNS servers.
- ISC's SIE cache poisoning attempt detection tool
ISC SIE has developed a tool for detecting cache poisoning attempts. It consists of two parts: ncaptool, the part which performs packet gathering, reassembly, and dns filtering; and mod_urstate, a message processing module which attempts to statefully detect unsolicited responses that may be indicative of cache poisoning attempts.
Data, Documentation, Papers, and Presentations
- Dan's Blackhat talk
Straight from the horse's mouth.
- Sid's DNS Ephemeral Port Measurement
Sid Faber is generates data showing levels of patching from SIE data.
- Report from CERT.at
CERT.at reports on patch rates based on the queries they see at the .at authoritative nameservers.
- Kaminsky Viz
A flashy visualization of patch adoption from Dan's data.
- Steve Friedl's Illustrated Guide to the Kaminsky DNS Vulnerability
A very nice explanation of how DNS works and of the poisoning vulnerability.