[benkillin]

Would a mitm attack be necessary since DNS is UDP? Couldn't you just forge packets from likely dns hosts that the victims might use and just constantly send responses hoping that the victim makes a request for one of the hosts you are forging responses for, and maybe one of the packets beats the real response and gets parsed? Is there a sequence number or unique request ID that gets used in UDP dns requests that is required in the response to be accepted as a response?

[lambda]

There is the UDP source port, which is where the reply will be sent, and a 16 bit ID number associated with each request. Randomizing both of these gives you 32 bits of entropy, which would makes spoofing attacks a lot harder. There were a lot of systems vulnerable to such attacks before source port randomization and ID randomization became common to mitigate such attacks.

https://en.wikipedia.org/wiki/DNS_spoofing

Of course, for this attack, you may only need to get the source port to match, since if it's the DNS resolver that has the bug, it may parse the whole response before noticing that the ID doesn't match. And some NATs may break source port randomizaiton, since they allocate their own source ports to keep a table of their source port to the internal IP and source port; if they do so in a more predictable manner, it may be relatively easy to spam them with packets, or you could just spam the whole 65536 bit range with bad packets.

[cesarb]

> Is there a sequence number or unique request ID that gets used in UDP dns requests that is required in the response to be accepted as a response?

Yes, there is, but it's only 16 bits, so it can be guessed, as was shown a decade ago with the "Kaminsky vulnerability" (giving names to vulnerabilities is not a new thing). A workaround is to also randomize the source port, so the attacker has to guess both the query ID and the source port used for the request. The true fix for the "Kaminsky vulnerability" would be to use DNSSEC, since even if the attacker spoofs the DNS response, they can't spoof the DNSSEC signature.

Yes, this buffer overflow is in code added precisely to protect against an attacker forging DNS responses. Ironic, isn't it?