Cатсн²² (in)sесuяitу / ChrisJohnRiley

Well looks like late last night (at least European time) details about Dan Kaminsky’s recently disclosed DNS attack were made public. So the cat is out of the bag…. if there ever was a bag to begin with.

The confusion seems to be a post on the ADD / XOR / ROL blog. In response the Matasano blog posted more information that seemingly was not meant to be public just yet. All parties seem to be taking it well, which of course makes some conspiracy nuts think that maybe this was the plan all along, or that just maybe some key elements of the attack were left out to move things along a little faster for the slow adopters. Personally I can see the validity of the attack vector and logically I can see no flaw in the thinking. It’s not new, but it is a good way to avoid the restrictions put in place from previous such attacks (i.e. the DNS Transaction ID and the filter to ignore unrequested DNS answers). More information can be seem on the blogs linked above, and on Wesley McGrew’s blog.

Some comments have also been made about the use of OpenDNS as an alternative fix. I’m no expert on this, as I’ve never used the service. However from all accounts it appears that OpenDNS doesn’t return NXDOMAIN answers for non-existant domains. If this is the case I can see problems with users just changing over to avoid the new DNS vulnerability. I can also see some issues with this from a security standpoint. After all there is no race condition if OpenDNS isn’t replying that a domain is invalid. A crafty attacker could use this to force browsers to a malware site for all instances where the user mis-types a domain. This is just speculation, but is however an interesting theory.

Now get patching….