Debian Security Advisory

DSA-1605-1 glibc -- DNS cache poisoning

Date Reported:
08 Jul 2008
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2008-1447.
CERT's vulnerabilities, advisories and incident notes: VU#800113.
More information:

Dan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS spoofing and cache poisoning attacks. Among other things, successful attacks can lead to misdirected web traffic and email rerouting.

At this time, it is not possible to implement the recommended countermeasures in the GNU libc stub resolver. The following workarounds are available:

1. Install a local BIND 9 resolver on the host, possibly in forward-only mode. BIND 9 will then use source port randomization when sending queries over the network. (Other caching resolvers can be used instead.)

2. Rely on IP address spoofing protection if available. Successful attacks must spoof the address of one of the resolvers, which may not be possible if the network is guarded properly against IP spoofing attacks (both from internal and external sources).

This DSA will be updated when patches for hardening the stub resolver are available.