A vulnerability in the BIND domain name system (DNS) software could give an attacker the ability to easily and reliably control queried name servers chosen by the most widely deployed DNS software on the Internet, according to new research presented at the Woot Conference in Washington D.C. today.

The Internet Systems Consortium has acknowledged the vulnerability.

Researchers Roee Hay of IBM, Jonathan Kalechstein of the Tecnion Computer Science Department, and Gabi Nakibly of the National Electronic Warfare Research & Simulation Center uncovered a vulnerability in BIND’s smoothed round trip time (SRTT) algorithm.

The primary mitigation technique for DNS spoofing attacks is IP address randomization. The researchers explain the SRTT algorithm helps BIND choose the resolver with the fastest response time for a particular query from a dynamic list of name servers. This process should be a somewhat random and not easily guessable one. A weakness in that algorithm, however, could give an attacker the ability to de-randomize the SRTT name server selection process, effectively giving that attacker the ability to shorten the amount of time needed to perform a blind DNS cache poisoning attack, a perform man-in-the-middle attack, or assist in distributed denial of service attacks.

Cache poisoning attacks – the most common type of DNS attack – are those in which an attacker causes a victim resolver to cache a fake DNS resource record. In this way, the attacker can cause his victims to communicate with a server under his control without their knowledge. In this sort of attack, a hacker could cache a fake resource record that resolves to an IP address that appears to belong to a software update server but which is actually leading the victim to a malicious server.

The researchers say that the attack essentially reduces the time and effort needed to poison BIND’s cache, and that DNS resolvers should never keep a global state shared between different domain names.

You can read their full research paper here.

Categories: Vulnerabilities

Comments (2)

  1. Jeff Wright

    Recent SRTT algorithm report clarification.

    We have been engaged with the parties who originally reported the issue for some time, and have previously reviewed it in detail. Our analysis shows that the defect is of limited practical use as an attack vector. However, there are security implications, as it may be used as a potential force magnifier when used in conjunction with other exploits. For example, if a single server from a multiple-server authoritative RRset is compromised, this technique would allow an attacker to ensure that queries were made to the compromised server, instead of whichever server would ordinarily have the lowest SRTT value.

    At the time we received first notification of this issue, we performed a standard CVSS scoring analysis per our Software Defect and Security Vulnerability Disclosure Policy (https://kb.isc.org/article/AA-00861/0). Due to the low score, we issued an Operational Notification, which was posted to the ISC Knowledge Base concurrently with the reporter’s paper presentation at the Woot Conference in Washington D.C on Tuesday, 12 August 2013. The Notification is available here: https://kb.isc.org/article/AA-01030.

    ISC plans to address this deficiency by reimplementing the SRTT algorithm in future maintenance releases of the BIND 9 code to eliminate or ameliorate this possible influence.


    Jeff Wright
    ISC Security Incident Officer

  2. Roee Hay


    I’d like to point out an error in this article:
    “The primary mitigation technique for DNS spoofing attacks is IP address randomization.”

    This is essentially not true as most of the entropy comes from the TXID (DNS Header) and source port (UDP Header).


Comments are closed.