The DNS cache poisoning exploit is posing a serious threat of large-scale attack to DNS server systems not only in Vietnam but all over the world. This is a critical vulnerable, especially when hackers have been successful in exploiting it. The problem is that server managers have not had any tools to check if their system is in danger or not, which makes them very puzzled. And one more question, if their systems have the flaw, how could they apply the patch?

On 07/25/2008, Bkis, from Hanoi University of Technology, Vietnam has released BkavDNSCheck, new software checking for Dan Kaminsky DNS flaw.

The advantage of this software is that BkavDNSCheck could solve the limitation of Dan's Tool ( BkavDNSCheck is able to test exactly the specific DNS Server which DNS Administrator want to check, while Dan's Tool could only test the last top DNS server (not owned by the checker - DNS Administrator).

Together with launching the software, Bkis has given out some articles on how to apply patch against this flaw for vulnerable systems, thus keeping Vietnam DNS systems away from a hazardous large-scale attack.

Recommendations to Network Administrators

To check the systems for this flaw, administrators should follow these steps:

  1. Download and run “Bkav DNS Check” software here:

  2. Use BkavDNSCheck to check your own DNS server is vulnerable to DNS Cache Poisoning or not. For details, please, follow this link: /?p=71


If the system is reported as containing the flaw, follow these steps to fix it:

  1. Check for the venders of the vulnerable system (Microsoft, Red Hat, …)
  2. Apply appropriate patches for the system:






Microsoft Corporation

Click here


Red hat, Inc.

Click here


Sun Microsystems, Inc.

Sun Solaris 8 (SPARC) – Applied patch 109326-20 or newer Click here

Sun Solaris 9 (SPARC) - Applied patch 112837-14 or newer Click here

Sun Solaris 8 (x86) - Applied patch 109327-20 or newer

Click here

Sun Solaris 9 (x86) - Applied patch 114265-13 or newer

Click here



Click here


Cisco Systems, Inc.

Click here


Recommendations to Individual Users:

Be cautious when accessing the internet during this period. If encountering any unusual happening when visiting familiar websites, you should contact administrators of your companies or organizations, or ISP helpdesk as soon as possible, so that in-time solution could be carried out. You should have your operating systems patched and install some antivirus programs to be protected from malicious code as well.

Technical description of the Subdomain Exploit DNS Cache Poisoning Flaw

DNS protocol is an address resolution protocol used for mapping between domain names and correlative IP addresses. According to this protocol, when a DNS server receives an address resolution request from its clients, it will look up in the cache and reply with the IP address appropriate to the requested domain name. However, if the domain name has not been cached, the DNS server will forward the request to another DNS server. It is this phase that has been detected to contain the serious vulnerable, the exploit of which has been spread over the internet for several days.

Here comes the method that has been used by hackers in the exploit: Hackers (say computer H) sends a mass of address resolution requests to the DNS server chosen as a victim (say server A). The domain names to be resolved have been prepared so that server A could not found them in the cache and thus has to relay the requests to the subsequent DNS server (say server B). Each resolution exchange between A and B is authenticated by a random transaction ID (TID). The Achile’s Heel is that this TID is merely a 16 bit number (smaller than 65535) and every communication between A and B are made through a fixed port.

In order to make a DNS cache poisoning attack, before server A receives replies from server B, hacker continuously sends crafted packets spoofing B’s replies to that fixed port of A. If only one of these spoofed packets has the same TID as that of the packet server A have been waiting for, it would be accepted by A as a legal one and be cached. From this point, the actual replies from server B are not to be used by A. In this way, a hacker will able to poison the cache of server A, force it to map the domain name being attacked on the IP address specified by him.

Having appeared for the first time in the 1990s, DNS cache poisoning flaw has been exploited in many different methods. This is a weakness in the design of the Domain Name System. For each of those exploitation methods, DNS Server venders have released accordingly preventative patches to sort out the problems. But hackers have found a new attacking method recently and continued to make use of this DNS cache poisoning flaw.

The key in this recently reported exploit is that hackers use subdomains to generate legitimate address resolution requests. These subdomains are created randomly in large amount ensuring that they have not already existed in the cache of server A, and therefore, forcing server A to generate an equivalent amount of forwarding requests to server B. As a result, the probability that a spoofed packet crafted by hackers has the same TID as that of the packet being waited by server A would increase considerably. Hackers would thus have more opportunities to successfully attack the cache of server A.

Leave a Reply

Name (required)
Mail (hidden) (required)
Text to Identify

Popup Date Time Portlet

Blogs Aggregator

Recent Posts

Blog Category Portlet


Store Portlet


Vote Baby Portlet