Kaminsky said a weakness exists in a transaction identification process that the DNS protocol uses to determine whether responses to DNS queries are legitimate or not. DNS packets include what are supposed to be random identification numbers, but the problem, according to Kaminsky, is that only about 65,000 different values are currently being used as identifiers. And in reality, the process of assigning the identifiers to packets isn't especially random and can be guessed, he said.
Joao Damas, a senior program manager at the ISC, said that what Kaminsky has discovered is a way to efficiently identify responses to specific queries and then quickly inject forged information into them. With their patches, the ISC and other vendors are trying to add more randomness to the process in order to make it much harder for attackers to determine the identifier values, Damas added. "Increasing forgery resilience is the way we are trying to do this," he said.
The technique uncovered by Kaminsky does seem to offer an "extremely easy way" to compromise DNS servers, said Rich Mogull, who heads the security consulting firm Securosis. But for the moment, at least, the flaw doesn't appear to be exploitable because the only ones who know about it are the "good guys," Mogull said. "Your risk isn't any greater today that it was yesterday."
Even so, companies should make sure that their domain name servers are patched as soon as possible, Kaminsky said. He added that if a particular vendor has yet to make a patch available, IT managers might want to consider using open-source technologies such as Open DNS, which is not vulnerable to the cache-poisoning issue.
The US-CERT's advisory also listed other steps that companies could take to mitigate the threat, such as restricting access to their DNS servers and filtering traffic for spoofed IP addresses at their network perimeters.