This is what recursive DNS looks like these days.
It seems some people eventually break things by updating their authoriative Servers hence the Server Failure responses and then there are these suspicious NXDOMAIN spikes. I was not yet able to pinpoint who asks what there but those could very well be spoofing attempts coming from our clients.
Not that they had any chance of succeeding we’re running PowerDNS recursor and have uRPF is deployed on everything ingres, so no spoofing there.
So with the WIRED article its kind of official, the cache poisoning ‘bug’ leaked and its all too simple to implement.
As Dan Kaminsky told wired in their interview
My grandma’s going to be in the audience (at Black Hat). My grandma’s going to understand the bug.
and i bet she really will, if my daddy can understand IP routing without ever having touched a computer in his whole life Dan’s grandma can understand DNS spoofing, no problem.
So if you’ve not updated already please do that now, it’s urgent!
If you don’t believe me, just listen to Sarah again. ;)
Ok so maybe my blog will get some more hits if i blog about the recent ‘Massive, Coordinated Patch To the DNS Released ‘ as /. named it.
Let me just link to this recent article of the PowerDNS author Bert Hubert in which he reminds us that this recent ‘fix’ for what seems to be an all new issue is not all that new after all.
Come on people, you knew it all the time. There is the query ID which is at best 16 bits and, … well did you really never wonder about that highport BIND reserved?
Alright maybe you haven’t but it seems not all that hard to do:
Actually the very same Dan Kaminsky who is credited with having found this latest issue half a year ago encourages us geeks to go “explore DNS”. “Maybe I missed something” he writes. Well i for one have not yet discovered what he did to get <1s to poison a dns cache but apparently Dan is pretty convinced that someone is going to find out before his Blackhat talk where he wants to spill it.
