Modern Ninja :: My Take on the Kaminsky DNS Flaw

My Take on the Kaminsky DNS Flaw Wed, 23 Jul 2008 11:10:21 -0400 EST

Okay so everyone has by now heard about the Kaminsky DNS flaw that has been the buzz of the network security world for the past couple of weeks. Given that I have only read preliminary data and hear-say from comment posts from other people who 'say' they have privileged access to details.

NOTICE: As of yet I have not read any specific details about the Kaminsky DNS details so this is all speculation and might change completely once details arise

So the main patch appears to be to randomize the source port for which the DNS resolver uses to look up a domain against another DNS server. Now I will not go into the details of how the exploit works, but to my knowledge this is the patch. There is supposed to be a fundamental DNS flaw in this, I don't see how that is as I have written DNS servers from scratch and mine is not vulnerable. (Sorry not for public release and no it's not djbdns, tho I do use that dns server and yes it is awesome).

So here is a question I have about a possible _REAL_ fix to this. When the resolver does the look up and receives it's response, why does the DNS server not compare each answer (which is referenced to it's answer) against the question initially asked. This information can be stored on the DNS server to compare this to. I understand that CNAME records might exist, but obviously that can be compared. Is answer of type CNAME? If so then use the answer to the CNAME and compare thant against the rest of the answer. Instead of just copying the entire answer into the cache. That just doesn't seem to work in my opinion.

So again this idea of a fix might be flawed or not, but that will be determined later. With any hope there will be more information released today to give some light on this. As a hosting provider and hacker I am extremely interested in what this has in store.

Execution Time: 0.0972139835358 seconds.

:: ModernNinja (dot) com ::

Advertisements