Niels Provos

Over the last few days, we have heard a lot about DNS cache poisoning and how we need to get our recursive resolvers to use random source ports. We are being told that this is a flaw in the protocol, but no details are going to be available until a presentation at Blackhat in August. DNS cache poisoning of course has been around for a long time, most notably when the 16-bit query IDs were not randomized. Here are some good references:

• DNS Cache Poisoning – The Next Generation - Joe Stewart elaborating on observations from Vagner Sacramento in 2002: Bind would issue multiple request with the same query to the same IP; increasing the chance of spoofed DNS packets to guess the right query ID.
• Bind 9 DNS Cache Poisoning by Amit Klein in 2007 requires just 10 guesses to predict the query ID.
• Strange Attractors and TCP/IP Sequence Number Analysis Michal Zalewski in 2001 looked at predicting the 32-bit TCP sequence number across multiple operating systems; a very similar problem to predicting 16-bit source port and 16-bit query ID.

Oarc in the meantime has made a port testing server available. A simple invocation of dig tells you if your recursive resolver is vulnerable:

dig +short porttest.dns-oarc.net TXT

The TXT record assesses a resolver's source port randomness as poor, fair or good. Unfortunately, on my network, I found this record constantly cached from other resolvers, so I wrote a small Python tool that analyzes the randomness of both your source port numbers as a well as your query IDs. The tool can be downloaded from:

• http://www.monkey.org/~provos/dnspredict.py

Its usage is pretty simple: