Slashdot Mirror

← Back to Stories (view on slashdot.org)

Kaminsky DNS Bug Claimed Fixed By 1-Character Patch

Posted by kdawson on from the but-it's-the-right-character dept.

An anonymous reader writes "According to a thread on the bind-users mailing list, there is nothing inherent in the DNS protocol that would cause the massive vulnerability discussed at length here and elsewhere. As it turns out, it appears to be a simple off-by-one error in BIND, which favors new NS records over cached ones (even if the cached TTL is not yet expired). The patch changes this in favor of still-valid cached records, removing the attacker's ability to successfully poison the cache outside the small window of opportunity afforded by an expiring TTL, which is the way things used to be before the Kaminsky debacle. Source port randomization is nice, but removing the root cause of the attack's effectiveness is better."
Update: 08/29 20:11 GMT by KD : Dan Kaminsky sent this note: "What Gabriel suggests is interesting and was considered, but a) doesn't work and b) creates fatal reliability issues. I've responded in a post here."

8 of 120 comments (clear)

  1. What about other DNS servers ? by neonux · · Score: 5, Insightful

    If this is indeed not a protocol flaw, how come the same vulnerability is present on other DNS servers as well ?

    Do they all use the same code from BIND for this particular 'feature' ?

    --
    @neonux
    1. Re:What about other DNS servers ? by larry+bagina · · Score: 5, Informative

      There is a small window of time when a malicious record could be cached by ANY DNS server. (Port randomization makes guessing the correct port to hit much harder) Bind (and only bind) has/had a huge fucking bug that opened that window of time.

      --
      Do you even lift?

      These aren't the 'roids you're looking for.

    2. Re:What about other DNS servers ? by B'Trey · · Score: 5, Insightful

      That seems accurate to me. After all, what happens when a DNS record gets updated? With the new behavior, you won't see the change until your cached record expires. That may be preferable to a gaping security hole which lets attackers poison your cache, but I don't think it's accurate to call the issue a bug in BIND. I believe BIND was working as intended to allow updated records to overwrite older ones.

      --

      "The legitimate powers of government extend only to such acts as are injurious to others." Thomas Jefferson.

    3. Re:What about other DNS servers ? by More+Trouble · · Score: 5, Insightful

      After all, what happens when a DNS record gets updated? With the new behavior, you won't see the change until your cached record expires.

      You don't see that update until the TTL expires. That's why there's a TTL. If you're planning to make a change, lower the TTL well in advance to allow the new TTL to propagate.

  2. Well let me just say by beakerMeep · · Score: 5, Funny

    (and I think for speak for everyone), this is how I feel about it:

    !

    --
    meep
  3. Reminds me of the story... by hanshotfirst · · Score: 5, Funny

    (Source unknown)

    A manufacturer had a problem with one of the older machines on their line. It shut down the line and held up production, costing many thousands of dollars in lost production. Since it was older equipment it was hard to find someone knowledgeable in repairing the machine, and nobody on-site knew what the problem could be. They found a technician with knowledge of the machine and hired him to come in and fix it.

    When the technician arrived on site he listened to the client's description of the problem, examined the machine, opened a panel, and turned a single screw. He restarted the machine and it was back to full function. The line was up and running and the manufacturer was happy.
    A week later the manufacturer received a bill for services: $1000. They called the technician and demanded an explanation - after all, they reasoned, he had only turned one screw to fix the problem. He agreed to re-bill, this time with itemized charges. The next bill contained two lines.

    Turning the screw... $1
    Knowing which screw to turn... $999

    --
    Why, oh why, didn't I take the Blue Pill?
  4. Re:Steve Jobs by El+Yanqui · · Score: 5, Funny

    Steve Jobs is alive and Slashdot isn't even covering it. This place blows.

    --
    Well, thanks to the Internet, I'm now bored with sex.
  5. Re:A possible downside by Anonymous Coward · · Score: 5, Informative

    That's not how caches work. There is no guarantee that the authoritative server won't give out different responses until the TTL expires. The TTL just means that the resolver may cache the value for that duration. If the value changes during that time, the effect is just like when the server does DNS round-robin load balancing: This resolver uses a different value than other resolvers. Whether that is a problem depends on the validity of the resource, not on a server side decision to stick with an answer or to change it before the old value's TTL. When you change DNS records, you always keep the old resource up until you see only a low amount of requests to the old resource. There are way too many caches which ignore the server-defined TTL and use their own minimum TTLs.