A DNS pervasive cache poisoning vulnerability has been found by Dan Kaminsky. Dan is an excellent security researcher and I have been following his DNS research for some time. His paper on DNS Rebinding is quite good and worth a read or two.
I also want to give a tip of the hat to Mr. Daniel J. Bernstein aka DJB.His approach to software and systems engineering are to be applauded and emulated. I have used djbdns for years and have admired its simplicity not to mention its scalability. You see source port randomization, which just so happens to be the cure for this bug, was first implemented and possibly invented by Mr. Bernstein.
Here is a an excerpt from Dan Kaminsky's post at DoxPara:
Sometimes it is better to be lucky than good. Fortunately for us DJB is both.DJB was right. All those years ago, Dan J. Bernstein was right: Source Port Randomization should be standard on every name server in production use.
There is a fantastic quote that guides a lot of the work I do: Luck is the residue of design. Dan Bernstein is a notably lucky programmer, and that’s no accident. The professor lives and breathes systems engineering in a way that my hackish code aspires to one day experience. DJB got “lucky” here — he ended up defending himself against an attack he almost certainly never encountered.
Such is the mark of excellent design. Excellent design protects you against things you don’t have any information about. And so we are deploying this excellent design to provide no information.
