Dan Kaminsky gave a very interesting talk on the recent DNS issues as part of the Black Hat USA 2008 conference currently on the go in Las Vegas. Originally DJ Bernstein had advocated ( and put into DJBDNS ) source port randomisation as part of the DNS request but no one else had as they thought transaction id randomisation was good enough. Well it wasn’t, so the current ‘fix’ is to do just that. Unfortunately, the attempts at protection of internal networks ( Firewall NAT’ing ) ends up removing this protection due to it removing the random source port!!!
Dan also has a very cool video of the spread of DNS updates ( or the lack thereof ):
Red — Unpatched
Yellow — Patched, but the NAT is screwing things up
Green — OK
