Understanding Kaminsky exploit w/bind

[Jamie Ostrowski]

 Hello,

 I hope this isn't too off-topic, but I've been studying the Kaminsky DNS
exploit and I have a question.

 According to what I've read on the topic, the Kaminsky exploit hijacks a
whole domain, and that you can launch the attack on a nameserver over and
over. It seems to imply you can do this immediately before waiting for any
TTL's to expire by using a series of random name queries, however, I don't
see how that is possible, and I wonder if anyone can explain this.

 I fired up a recursive nameserver running bind 9.4. In another window I
started running a tcpdump session listening for traffic on port 53.

  If I perform a query on one of my domains the first time, for
nonexistant-host.mydomain.com, I can see my nameserver querying the roots,
getting a referral to the auth. nameserver for mydomain.com, and then
seeing the query go out to that authoritative nameserver.

 That makes sense.

  However, if I then fire off another query, for
nonexistant-host2.mydomain.com, I do not see another querying going out to
find the auth nameserver for mydomain.com - because it is cached in my
recursive resolver.

  This also makes sense.

  But then how is it that an attacker, after he sends his first query for a
non-existant host, if they aren't able to guess the transaction id to spoof
a response before the real response comes in, then won't the resolver have
the cached NS records for that mydomain.com stored with a TTL?

  I don't see how you can then launch successive queries for other
non-existant hosts until the cached TTL expires for the domain server.

  If anyone can shed any light, I'd appreciate it. I've read several
articles on this topic and it's a piece of the puzzle I've been stumped on.

   Thanks!

   - Jamie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130414/bc26beda/attachment.html>