DNS Cache Poisoning Issue ("Kaminsky bug")
Thanks to recent work by Dan Kaminsky of IOActive, ISC has become aware of a potential attack exploiting weaknesses in the DNS protocol itself. (Full details of the vulnerability will be explained by Kaminsky at the Black Hat conference on August 7th.) The weakness is inherent to the DNS protocol and not specific to any single implementation. The DNS protocol uses the Query ID field to match incoming responses to previously sent queries. The Query ID field is only 16 bits, which makes it an easy target to exploit in the particular spoofing scenario described by Kaminsky.
IF YOU ARE RUNNING BIND AS A CACHING RESOLVER YOU NEED TO TAKE ACTION.
DNSSEC is the only definitive solution for this issue. Understanding that immediate DNSSEC deployment is not a realistic expectation, ISC is releasing patched versions of BIND that improve its resilience against this attack. The method used makes it harder to spoof answers to a resolver by expanding the range of UDP ports from which queries are sent, thereby increasing the variability of parameters in outgoing queries.
YOU ARE ADVISED TO INSTALL EITHER THE MOST CURRENT SECURITY PATCHES, STAYING WITHIN YOUR MAJOR VERSION (currently 9.5.0-P2, 9.5.0-P2-W1, 9.4.2, 9.4.2-P2-W1, 9.3.5-P2, or 9.3.5-P2-W1 ) OR ELSE THE LATEST BETA RELEASES (9.5.1b1, 9.4.3b2) IMMEDIATELY.
The patches will have a noticeable impact on the performance of BIND caching resolvers with query rates at or above 10,000 queries per second. The beta releases include optimized code that will reduce the impact in performance to non-significant levels.
DNS administrators who operate these servers behind port-restricted firewalls are encouraged to review their firewall policies to allow this protocol-compliant behavior. Restricting the possible use of various UDP ports, for instance at the firewalls, in outgoing queries and the corresponding replies will result in decreased security for the DNS service.
Again, DNSSEC is the definitive solution to this type of attack. ISC strongly encourages DNS administrators to deploy DNSSEC as soon as possible to fully address this problem. DNS domain owners that want their data to be protected against spoofing to the end-user must sign their zones. ISP and Enterprise DNS administrators who provide caching recursive name servers to their users should enable DNSSEC validation.
DNSSEC Lookaside Validation (DLV), offered by ISC and others, is another DNSSEC deployment option.
Additional Assistance available from ISC:
BIND 9 software support: https://isc.org/services/support
Managed caching resolvers: Through September 30, 2008, ISC support customers have the option of forwarding their recursive servers' queries to caching resolvers deployed on ISC's SNS production network while the required software upgrades are performed on their own networks. For additional information on this option, please open a ticket in your support queue with the subject line including "forwarder service."
ISC DLV: https://isc.org/solutions/dlv
Also see ISC's page DNSSEC and BIND
- BIND 10
- Other Software Projects
- security advisories
- software forums
- ABOUT ISC