DNS Vulnerabilities (Cache Poisoning, Kaminsky Attack, Spoofing)

#The Fragility of the Internet's Phonebook#link

Before we study how DNSSEC protects the web, we must understand why DNS is fundamentally broken. DNS was designed in an era of mutual trust. It uses UDP, a stateless protocol, meaning there is no 'handshake' to verify who sent a response. If an attacker can guess a few numbers, they can lie to your computer about where a website lives.

DNS Spoofing and Simple Poisoning

A basic DNS spoofing attack occurs when an attacker sends a forged response to a DNS resolver before the real authoritative server can respond. To succeed, the attacker must guess the correct Transaction ID (TXID)—a 16-bit number. With only 65,536 possibilities, a fast attacker can flood the resolver with guesses in seconds.

In the output above, the resolver simply accepts the answer from the server. There is no signature to verify. If an attacker had sent a packet with the same TXID but a different IP, the resolver would have cached that fake IP and served it to every user on the network.

The Kaminsky Attack: Scaling the Lie

In 2008, Dan Kaminsky discovered a flaw that made DNS poisoning exponentially easier. Instead of attacking `www.google.com` directly, the attacker asks for non-existent subdomains: `random1.google.com`, `random2.google.com`. This forces the resolver to ask the authoritative server every single time, giving the attacker infinite attempts to guess the TXID without waiting for the cache to expire.

Defending the Resolver

Before DNSSEC, the main defense was 'Source Port Randomization'. Instead of always using port 53, the resolver uses a random high port. This increases the entropy an attacker must guess from 16 bits to roughly 32 bits, making the attack significantly harder but still theoretically possible.

• ▪Implement Source Port Randomization
• ▪Use a trusted, validating recursive resolver
• ▪Disable recursion on authoritative nameservers
• ▪Deploy DNSSEC to provide cryptographic proof