DNS Multiple Race Exploiter is a tool that exploits an inherent flaw in the DNS Server Cache. By sending many queries to a DNS server, that processes recursive queries, along with fake replies, an attacker can successfuly writes a fake new entry in the DNS cache. Also, this type of attack can overwrite an existing entry. For example, if the DNS server’s cache already has www.example.com => 1.2.3.4, the attack can overwrite it with www.example.com => 4.3.2.1. Initially, the attack was easy since the majority of DNS servers did not randomize the UDP source port number. However, patched DNS servers randomize the UDP source port number but that will not eliminate the flaw; it will only increase the time required to poison the cache. Poisoning unpatched systems would take a period seconds, however, poisoning patched systems would take a period of hours. DNS Multiple Race Exploiter is made to attack both patched and upatched systems.

To successfully inject an entry into a remote DNS cache, there are pre-requisites elements the auditor needs to know:

The auditor needs to know if the target DNS server processes recursive queries or not. If not, then the server is not susceptible to cache poisoning. If the target DNS server processes recursive queries, the auditor needs to know if the server forwards the DNS request to a farwarder server or performs the request directly. If “forwarder” is configured, the auditor needs the IP address of the forwarder system.

The auditor needs to know the static source port number used by the target DNS server only in case of unpatched systems. For patched systems, this is not needed.

DNS Multiple Race Exploiter project homepage

You may also like this

• No Related Post