The exploit is here. Metasploit has developed a module to trigger the last DNS vulnerability (announced by Dan Kaminsky two weeks ago). The DNS system translates names to numbers the Internet can use (pandasecurity.lin3sdev.com -> 88.221.26.28). This threat allows malicious people to redirect any website or domain to a system controlled by the attacker. The full vulnerability description would be described at BlackHat, however it was published (by mistake) in a very known blog. Although It was removed, nevertheless it was already accessible with Google cache or Google Reader.
The vulnerability uses two well-known issues with DNS Protocol:
- Prediction of Source Port and transaction ID: DNS uses UDP packets to send and receive queries. Most DNS servers use the same source port to connect to the same DNS server within a short period of time. This way, an attacker could predict the destination port in a very short time. Transactions ID are randomized but this randomization is not enough, and malicious people could spoof packets to send answer packets to the target DNS server before the real DNS server sends its response. The image below shows this scenario:
The attacker (trigger machine) sends DNS packets, to the target DNS, with queries for a website of a domain controlled by them (www.mytestdomain.com). The target DNS will send the queries to the DNS server controlled by the attacker, so this way they could predict the source port used by the target DNS and predict some patterns in the transaction ID. After that the attacker sends spoofed DNS packets, to the target DNS, pretending to be the DNS server, redirecting the client to the website owned by the attacker.
- Additional Resource Records: DNS servers can include additional information in their answer to avoid future questions and improve the efficiency of the process. For example, the nameservers' IP of the target domain. Combining these two issues, an attacker could control the entire traffic directed to the target domain.
We have developed a tool to verify if your DNS is vulnerable (DnsTester). It basically executes the following query, suggested by Sans Diary:
nslookup -type=txt -timeout=30 porttest.dns-oarc.net
If your DNS is vulnerable, you should inform your ISP or network
administrator about it. However a better and faster approach is to
change your DNS to OpenDNS.
There are also some websites to verify if your DNS is vulnerable (http://www.doxpara.com/ or you could follow the SANS suggestions on Sans Diary).
(Thanks to Iker Perez for the image)