Well, not really. But if you’re in the tech industry you’ve surely heard about the recently discovered DNS vulnerability, and if you’re the curious type you tried to guess how it might work. Dan Kaminsky had wisely decided to postpone the full disclosure until the Black Hat conference, but it was just a matter of time before somebody figured it out. Halvar Flake just did. In short:

1. Send loads of requests for nonexistent FQDNs to a resolver you want to poison. You can do this on non-public resolvers too - just get one of their clients to load a web page you control.
2. Start spoofing responses for those nonexistent FQDNs. Make sure you include glue records in them for, say, the .com zone.
3. Wait until one of your spoofed responses matches the QID that the resolver used.
4. ???
5. Profit! The target resolver is now delegating all .com queries to you. You did set a long TTL, right?

This sounds entirely unrealistic, until you start to do back-of-the-envelope math on just how many lookups and tries you must do - a couple minutes should be enough on any modern broadband link. I suspect Kaminsky’s presentation will come complete with number magic and tools to make this very quick and straightforward.

Amusing side note: Matasano’s blog just covered this story, linking to Flake’s blog. Not only they gave a simple technical introduction/explanation of how and why it works, but they also confirmed that “the cat is out of the bag”. That wasn’t just a guess about the validity of a guess - they know for sure because they’ve spoken with Kaminsky before and confirmed that the exploit is for real: “Dan has the goods“. The amusing part? They pulled the confirmation story about 2 hours after it was published. The cat is already out of the bag, guys ;-)

This attack is truly scary, for two reasons:

1. It’s dead simple, yet extremely effective. Patching all affected resolvers will take quite a while, leaving a lot of people vulnerable in the mean time. There are certain circumstances (mainly NAT setups) in which a patched resolver can still be poisoned.
2. The patch (randomizing source ports for DNS queries - and proving that DJB was wise, not paranoid) will only work for so long. The roughly 30 bits of entropy (instead of the current 16) will last a while, but connection speeds keep increasing, not to mention the probability of somebody coming up with an even more clever attack.

Update: Kaminsky confirms and provides details. Vixie and Dagon came up with a clever hack to extend the amount of entropy in QIDs.