27,024,307
PowerDNS is the third most popular DNS server on the Internet today. This paper shows that PowerDNS recursor DNS queries are predictable – i.e. that the source UDP port and DNS transaction ID can be effectively predicted. A predictability algorithm is described that, in optimal conditions, provides a single guess for the “next” query thereby overcoming whatever protection offered by the transaction ID and the UDP port randomization mechanisms. This enables an effective DNS cache poisoning attack against PowerDNS Recursor. The net effect is that pharming attacks are feasible against PowerDNS Recursor caching DNS servers, without the need to directly attack neither DNS servers nor clients (PCs).
Amit Klein
February-March 2008
