New exploit poisons patched DNS servers, claims researcher

But 'not a threat to the real world,' rebuts DNS expert.

Patches meant to fix a flaw in the Internet's Domain Name System (DNS) don't completely protect the Web's traffic cop from attack, a Russian research claimed Friday.

The head of the non-profit that maintains the most commonly used DNS software, however, said there was little to worry about.

In a blog post, Russian researcher Evgeniy Polyakov said he had created an exploit able to insert bogus routing information into systems running the most-up-to-date version of BIND (Berkeley Internet Name Domain), the popular open-source software that runs a majority of the Web's DNS servers.

BIND 9.5.0-P2 was released Aug. 2 as a follow-on to the initial patch issued July 8, the day that researcher Dan Kaminsky announced the DNS flaw and a coordinated patching effort by several vendors, including Internet Systems Consortium (ISC), which maintains BIND; Microsoft; and Cisco Systems.

Both the July 8 and August 2 BIND updates added source port randomization in the name server to reduce the likelihood of "cache poisoning," the term used to describe attacks that attempt to reroute users' requests for legitimate sites to fakes created to dupe them into entering confidential information.

Polyakov claimed that his exploit was able to insert rogue instructions into a DNS server running BIND 9.5.0-P2, although it took a pair of attacking PCs connected to the server via a Gigabit Ethernet (GigE) network connection about 10 hours to pull off the attack.

"Attack took about half of the day, i.e. a bit less than 10 hours," Polyakov said on his blog. "So, if you have a GigE LAN, any Trojaned machine can poison your DNS during one night."

Computerworld was not immediately able to verify Polyakov's claims.

Paul Vixie, the president of ISC, said the threat posed by Polyakov's exploit was small potatoes compared to the ease with which attackers can poison the caches of unpatched DNS servers. "While I think it's bad that anybody who can hammer you at GigE speed for ten hours can poison your cache, it's not a threat to the real world the way 11 seconds at 10-megabit was," Vixie said in a message posted Sunday to a BIND mailing list.

"Any DNS server with a host-based firewall can implement a 100 percent effective mitigation for the Polyakov attack, and it's possible that an upstream/outboard firewall could also be made to do it," Vixie said. "At some point ISC will have to put logic like this into BIND, of course, but protecting against the Polyakov attack is like synflood protection in that it's a rate-limit problem."

According to other entries posted to his blog, Polyakov began working on an exploit for the DNS flaw around July 29.

Although Kaminsky withheld details of the flaw when he first disclosed the bug early last month, other security researchers parsed the vulnerability from the scant information they had. In a presentation at the Black Hat security conference last week where he outlined the flaw and provided more information, Kaminsky noted that others had reproduced the vulnerability within five days, but kept quiet.

On July 21, however, Thomas Dullien, CEO of the German security company Zynamics GmbH, took a stab at the flaw and posted his best guesses about its details and how it might be exploited. Two days later, working attack code able to poison unpatched DNS servers went public.

For his part, ISC's Vixie urged a move toward a more secure routing system for the Internet, a call that some in the most technical communalities of the Internet have voiced for years. "It's long past time for Secure DNS, which is a combination of TSIG+TKEY, SIG(0), and DNSSEC. End to end crypto authentication," said Vixie in a comment he posted on Saturday.

"In the time it would take for this Russian's attack to work over your 512K DSL line (2.2 years, I heard?) we could completely secure the DNS or at least the parts of DNS whose operators gave a rat's ass about security," Vixie concluded.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?