From: "Frank Haber" 

This one?  (Copied from your FD scraping group below, and THANKS again for
that.)  (I'm stealing and crossposting because the description sounds
authoritative, and the author seems not to be foaming at the mouth,
unlike....)

==============

"Roger,

This is what I know about it, since no one else seems to be giving you more info...

> As described above, Windows DNS is vulnerable to the cache poisoning
> attack through the forwarder DNS server. This seems because Windows DNS
> blindly trusts replies from forwarder DNS and caches every resource
> records regardless of their domain.

The original vulnerability was the issue that Windows DNS server accepts
records from unauthoritative sources.  This was partially fixed with some
registry setting (insanely off by default), but it turned out if Windows
was using an upstream resolver (i.e. not going directly to the roots), then
it was still vulnerable.  This is the vulnerability which is specific to
Windows DNS (though Symantec's also had it, I think).

For instance, if a Windows DNS cache asks for example.org, and receives
records for example.org and org (TLD), then it will blindly believe it,
under certain conditions.  BIND does not do this, AFAIK, and neither does
any correctly implemented DNS cache.

The attack described just now, is that this vulnerability combined with the
traditional "birthday" attack scenario allows another form of
attack.  The birthday attacks in general are still possible on any DNS
server which doesn't randomize source ports, but may be more difficult to
conduct than this new attack. (I'm not sure, I haven't run the numbers.)

Hope this clears it up.  If you're interested in running a more secure DNS
cache, try djbdns' dnscache.

tim"

--- BBBS/NT v4.01 Flag-5