Knowledge Base ISC Main Website Ask a Question/Contact ISC
CVE-2008-1447: DNS Cache Poisoning Issue ("Kaminsky bug")
Author: Cathy Almond Reference Number: AA-00924 Views: 2681 Created: 2013-05-23 16:49 Last Updated: 2013-05-23 16:49 0 Rating/ Voters
A weakness in the DNS protocol may enable the poisoning of caching recurive resolvers with spoofed data. DNSSEC is the only full solution. New versions of BIND provide increased resilience to the attack.

Posting date: 
08 Jul 2008
Program Impacted: 
BIND
Versions affected: 
8 (all versions) 9.0 (all versions) 9.1 (all versions) 9.2 (all versions) 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4 9.4.0, 9.4.1, 9.4.2 9.5.0a1, 9.5.0a2, 9.5.0a3, 9.5.0a4, 9.5.0a5, 9.5.0a6, 9.5.0a7, 9.5.0b1
Severity:
High
Exploitable: 
Remotely

Description:

Thanks to recent work by Dan Kaminsky of IOActive, ISC has become aware of a potential attack exploiting weaknesses in the DNS protocol itself. (Full details of the vulnerability will be explained by Kaminsky at the Black Hat conference on August 7th.) The weakness is inherent to the DNS protocol and not specific to any single implementation. The DNS protocol uses the Query ID field to match incoming responses to previously sent queries. The Query ID field is only 16 bits, which makes it an easy target to exploit in the particular spoofing scenario described by Kaminsky.

Workarounds:

None.

Active exploits:

None known at this time.

Solution: 

IF YOU ARE RUNNING BIND AS A CACHING RESOLVER YOU NEED TO TAKE ACTION.

DNSSEC is the only definitive solution for this issue. Understanding that immediate DNSSEC deployment is not a realistic expectation, ISC is releasing patched versions of BIND that improve its resilience against this attack. The method used makes it harder to spoof answers to a resolver by expanding the range of UDP ports from which queries are sent, thereby increasing the variability of parameters in outgoing queries.

YOU ARE ADVISED TO INSTALL EITHER THE MOST CURRENT SECURITY PATCHES, STAYING WITHIN YOUR MAJOR VERSION (currently 9.5.0-P2, 9.5.0-P2-W1, 9.4.2, 9.4.2-P2-W1, 9.3.5-P2, or 9.3.5-P2-W1 ) OR ELSE THE LATEST BETA RELEASES (9.5.1b1, 9.4.3b2) IMMEDIATELY.

The patches will have a noticeable impact on the performance of BIND caching resolvers with query rates at or above 10,000 queries per second. The beta releases include optimized code that will reduce the impact in performance to non-significant levels.

DNS administrators who operate these servers behind port-restricted firewalls are encouraged to review their firewall policies to allow this protocol-compliant behavior. Restricting the possible use of various UDP ports, for instance at the firewalls, in outgoing queries and the corresponding replies will result in decreased security for the DNS service.

Again, DNSSEC is the definitive solution to this type of attack. ISC strongly encourages DNS administrators to deploy DNSSEC as soon as possible to fully address this problem. DNS domain owners that want their data to be protected against spoofing to the end-user must sign their zones. ISP and Enterprise DNS administrators who provide caching recursive name servers to their users should enable DNSSEC validation.

DNSSEC Lookaside Validation (DLV), offered by ISC and others, is another DNSSEC deployment option.

Additional Assistance Available from ISC:

BIND 9 software support: https://isc.org/services/support

Managed caching resolvers: Through September 30, 2008, ISC support customers have the option of forwarding their recursive servers' queries to caching resolvers deployed on ISC's SNS production network while the required software upgrades are performed on their own networks. For additional information on this option, please open a ticket in your support queue with the subject line including "forwarder service."

ISC DLV: https://isc.org/solutions/dlv

Also see ISC's page DNSSEC and BIND

Related Documents:

See our BIND Security Matrix for a complete listing of Security Vulnerabilities and versions affected.

If you'd like more information on our Forum or product support please visit www.isc.org/support.

Do you still have questions?  Questions regarding this advisory should go to security-officer@isc.org

Note: ISC patches only currently supported versions. When possible we indicate EOL versions affected.

ISC Security Vulnerability Disclosure Policy:  Details of our current security advisory policy and practice can be found here: https://www.isc.org/security-vulnerability-disclosure-policy

This Knowledge Base article https://kb.isc.org/article/AA-00924 is the complete and official security advisory document.

Legal Disclaimer:
Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time.  A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors.

© 2001-2014 Internet Systems Consortium

Feedback
  • Please help us to improve the content of our knowledge base by letting us know how we can improve this article or by submitting suggestions for other articles you'd like to see created. Information on how to obtain further help on our products or services can be found on our main website.' If you have a technical question or problem on which you'd like help, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.
Info Submit Feedback on this Article
Nickname: Your Email: Subject: Comment:
Enter the code below:
Quick Jump Menu