I’ve posted two comments at DoxPara.com, those comments are marked “waiting moderation” — and the E-Mail address is valid.

I promise to take the minimum amount of time.

Thanks — Lynn

regards

John Jones
http://www.johnjones.me.uk

Germaine, sort le deux-coups, le riz, les boites de cassoulet, les bouteilles d’eau et les sacs de sable, l’Internet mondial est en train de sombrer. À pic. Façon Titanic. Et oui chers lecteurs, DNS vient de prendre un coup de douze. Un autre…….

I understand (and respect) what Dan has done, but it was hard to find the details of the patch among all of the discussion.

I hope I’ve interpreted it correctly.

… and I hope I got it right.

Step 1:

- Create a malicious DNS zone (malicious.com)

- Spread links to http://www.malicious.com all over the internet (spam, etc…)

Step 2:

- Victim clicks on the the link to http://www.malicious.com

- Victim’s DNS resolver (ns.victim.com) talks to ns.malicious.com

- ns.malicious.com answers by saying that “www.malicious.com” really is an alias for “www.google.com”

=> At this point, I, as an attacker, knows that ns.victim.com is going to ask ns.google.com what is the IP of “www.google.com”

=> ns.victim.com is using either a fixed or a non-random UDP source port for its queries

=> So I can flood ns.victim.com (posing as ns.google.com) with tons of fake DNS answers claiming that http://www.google.com is 127.0.0.1. All I have to figure out at this point is the XID that will be used, and given that it’s a 16 bits integer, it’s not the most complex thing of the world.

=> ns.malicious.com now believes that http://www.google.com is 127.0.0.1