1. BlackHat DC 09 Wouters
BlackHat DC 09 Wouters Post Dan Kaminsky slides pdf documents
1.1. Two phase deployment
• First release a generic fix for the Kaminsky attack that does not leak information to the bad guys (source port randomization)
• Then release the bug and patches specifically against the Kaminsky attack
1.2. The inevitable: Fix recursive nameservers
Port randomization Sanitize TTL's Use more IP addresses per DNS server Harden against bogus size packets Harden glue Additional queries for infrastructure data 0x20
1.3. Hardening infrastructure queries
- Before accepting NS records or A records of nameservers, ask at least two different nameservers.
- Before accepting glue records or additional data, indepedantly verify these with new queries.
(extra work is only needed once, then we use caching – minimum impact)