This page provides information relating to CERT VU #800113. Please write to Admin if you have corrections or additions.

Timeline of Events

?, 2008

Dan Kaminsky stumbles upon a serious problem in the DNS protocol that makes poisoning easier than most everyone previously thought.

March 31, 2008

DNS Summit at Microsoft's offices to discuss the problem and solutions.

July 8, 2008

CERT VU #800113 published in conjunction with patches/updates from almost all DNS vendors. Attack details are to be kept secret until August 6th.

July 9, 2008

Kaminsky gives details to skeptical security colleages in confidence.

July 21, 2008

A so-called security expert publicly speculates about the flaw on his blog and more-or-less gets it right. The speculation is confirmed when Matasano publishes a blog-post-in-waiting, which is later retracted. At this point the flaw is effectively leaked.

July 23, 2008

Working exploit code is released.

July 24, 2008

Another metasploit script is released, as well as a python implementation.

July 30, 2008

PCWorld reports that an AT&T nameserver is poisoned, which ends up affecting the author who published the first exploit code.

August 7,2008

Dan Kaminsky gives his talk (ppt file) at the Blackhat conference.

Tools for Testing and Monitoring

OARC's own porttest tool is a DNS server that will tell you if the queries coming from your resolver appear to be random. Use it with command-line tools like dig and nslookup.

Very similar to porttest, except that this one reports on transaction IDs. Most DNS resolver implementations were already using random transaction IDs well before this vulnerability came out, but now you can double-check it with this service.

OARC's Web-based entropy test

Similar to porttest and txidtest, except that the test provides more information and is done with your web browser, rather than command line tools. Another benefit to the web-based test is that you can see scatter plots of the received ports and IDs to visualize the data.

DNS Checker at

Dan's DNS checker also reports on source ports and transaction IDs, although it uses fewer queries than OARC's, and requires javascript.

Niels Provos home page

When you visit Neils' page, an image at the top will tell you if your DNS resolver is using random ports or not.

ONZRA's CacheAudit

CacheAudit is a BSD-licensed tool that allows recursive providers to detect cache poisoning events using cache dumps from their DNS servers.

ISC's SIE cache poisoning attempt detection tool

ISC SIE has developed a tool for detecting cache poisoning attempts. It consists of two parts: ncaptool, the part which performs packet gathering, reassembly, and dns filtering; and mod_urstate, a message processing module which attempts to statefully detect unsolicited responses that may be indicative of cache poisoning attempts.

Data, Documentation, Papers, and Presentations

Dan's Blackhat talk

Straight from the horse's mouth.

Sid's DNS Ephemeral Port Measurement

Sid Faber is generates data showing levels of patching from SIE data.

Report from reports on patch rates based on the queries they see at the .at authoritative nameservers.

Kaminsky Viz

A flashy visualization of patch adoption from Dan's data.

Steve Friedl's Illustrated Guide to the Kaminsky DNS Vulnerability

A very nice explanation of how DNS works and of the poisoning vulnerability.