DNS vulnerability – are there any other mitigations apart from patching?

Jul 22nd, 2008

Comments: 1
Category: Vulnerability Management

DNS vulnerability – are there any other mitigations apart from patching?

Well as I’m sure everyone is aware the details of the DNS flaw that Dan Kaminsky found have been disseminated round the ‘net a bit early.
I’m not going to get into the politics of whether that’s a good thing/bad thing or how urgent patching is as it’s been done to death elsewhere…
I was thinking though about how it may be possible to mitigate this in other ways than patching…
Having heard the detailed explanation from matasano on the vulnerability, wouldn’t it be possible to mitigate this by changing the behaviour of the authoritative name server..?
If I’m understandning things correctly as the authoritative name server for a domain you’d see a whole load of requests for invalid subdomains to your domain (eg, AAAA.MYDOMAIN.COM AAAB.MYDOMAIN.COM) and usually you just respond with NXDOMAIN. Now the attacker is relying on you responding NXDOMAIN so he can respond with the additional RR of your real website, say, WWW.MYDOMAIN.COM.
Would it be possible to change your behaviour to respond as the attacker would do with the RR for your valid hosts, so causing the caching DNS server to cache them on the first attempt and preventing the attacker from getting the incorrect entries in first..? The attacker is relying on guessing port and transaction ID so won’t get there in the first attempt, so it would seem that this would potentially mitigate the problem..
That said I’m no DNS expert so this may well be off base…


  1. Michael Janke July 22, 2008 at 12:58 pm

    I’d guess that adding a wildcard entry (*.mydomain.com) with a long TTL, pointing at some IP address would mitigate the problem.

Add a comment

Your email address will not be shared or published. Required fields are marked *