DNS cache poisoning in bind

The bind daemon is responsible for resolving hostnames in IP addresses and vice versa. The new version of bind uses a random transaction-ID (TRXID) and a random UDP source-port for DNS queries to address DNS cache poisoning attacks possible because of the “birthday paradox” and an attack discovered by Dan Kaminsky. Unfortunately we do not have details about Kaminsky’s attack and have to trust the statement that a random UDP source-port is sufficient to stop it. DNS servers that do not support recursive queries or do not use a cache (authoritative only servers) are not vulnerable too. Update packages of bind9 for SLES8 will be available soon. The glibc stub resolver is known to be vulnerable too and we will publish updates as soon as possible. Note, a local attacker can always sniff DNS queries and generate spoofed responses easily. If you use the UDP source-port number of the DNS server in your firewall configuration, for example to let DNS queries through your packetfilter, then you have to take steps to adapt your filter rules to the new behavior of the DNS server.

Solution

To protect your infrastructure from cache poisoning attacks you should provide two DNS servers. One that is authoritative only and accessible from the Internet to resolve queries for your local systems that are available over the Internet. The other system (caching) is not accessible over the Internet and can be used by internal clients to recursively lookup names and addresses. But we encourage you to install the bind update as soon as possible too. If you use the latest update of pdns-recursor you are not vulnerable to this attack. For the glibc stub resolver bug you can install a local secure DNS for- warder on your machine or make a DNS forwarder available for a protected network.