DNS Multiple Race Exploiter: DNS Cache Poisoner/Overwriter DNS Multiple Race Exploiting tool has the following features: [A]The tool can attack both unpatched DNS systems as well as patched DNS systems. Attacking a patched system requires a much longer time than an unpatched system. The tool can launch two modes of attack; one is against DNS server that supports recursion, and the second mode is against DNS server configured with forwarder DNS. The attack modes differ in the "flags" carried in the DNS fake replies. Since a DNS with server forwarder(s) sends a query with the "recursion desired" bit set, the reply has to have this bit set, too. Also, the reply has to have the "recursion available" bit set. On the other hand, a DNS server with recursion sends query with the recursion bit unset (i.e. iteration query), the reply has to have this bit unset, too. [C] The tool spoofs the source IP address of the queries. This is useful if the attacker does not want leave any trace of his IP address on the server. [D] The tool utilizes CNAME Record Type to inject the false entry. The way the poisoning is implemented is by sending two answer Resource Records (RRs): One is a CNAME RR, and the second is an A record. Every fake reply contains something like: [E]The tool sends multiple fake replies with different TXIDs to increase the probability of hitting the correct TXID. This is useful in reducing the time needed to generate a "hit". For a server that does not randomize the source port number, the maximum number of iterations needed is 65546 (an average would 32768). However, by sending 10 to 15 TXIDs, for example, the probability of making a "hit" is higher in a shorter time; an average of ~3000 iterations are needed. Download: DNS Multiple Race Exploiter -- version 1.0 http://www.securebits.org/tools/dns_mre-v1.0.tar.gz
