Published on Trusteer (http://www.trusteer.com)

Home > Printer-friendly

BIND 9 DNS Cache Poisoning

By mickey
Created 10/12/2009 - 18:55

The paper shows that BIND 9 DNS queries are predictable – i.e. that the source UDP port and DNS transaction ID can be effectively predicted. A predictability algorithm is described that, in optimal conditions, provides very few guesses for the "next" query (10 in the basic attack, and 1 in the advanced attack), thereby overcoming whatever protection offered by the transaction ID mechanism. This enables a much more effective DNS cache poisoning than the currently known attacks against BIND 9. The net effect is that pharming attacks are feasible against BIND 9 caching DNS servers, without the need to directly attack neither DNS servers nor clients (PCs). The results are applicable to all BIND 9 releases [1], when BIND (the named daemon) is in caching DNS server configuration.

Amit Klein
March-June 2007
In memory of Anat Marom (Markowitz), 1971-2007

Download paper [1]

Read More Link: 
Read more
Copyright ©2009 Trusteer. All Rights Reserved.

The banks that use our services:

Source URL: http://www.trusteer.com/list-context/publications/bind-9-dns-cache-poisoning

Links:
[1] http://www.trusteer.com/sites/default/files/BIND_9_DNS_Cache_Poisoning.pdf