The main DNS security issues have very often focused on server side problems
and vulnerabilities. This paper focuses on Windows client DNS service, also
called DNS resolver. This paper explains how it is often possible to predict
the “Transaction ID” and the “UDP port number” used
by Windows’ DNS Resolver. With this information it will be shown how it
is possible, under certain conditions, to win the race against the regular DNS
server and hijack, for example, a TCP/IP session. Even if this problem has been
reported to Microsoft’s security experts and we both agreed that there
is no immediate threat or security vulnerability, it may be used to attack Windows
LAN and WAN clients for example at startup. In WLAN too, which shares the medium
and then is subjected to the well-known DNS attacks based on sniffing, this
predictability increases the chances of being effectively attacked.
Microsoft informed me that the concerns mentioned in this paper will be addressed
in future versions of its products.
This document is in pdf format. To
view it click here.