How Dan Kaminsky broke and fixed DNS

Wired's Joshua A Davis has a great profile of my pal Dan Kaminsky's work on discovering and then helping to fix a net-crashing DNS bug earlier this year. Davis really captures the excitement of discovering a major security flaw and the complex web of personal, professional and technical complications that come to bear when you're trying to disclose the research in a way that minimizes harm to the net.

Dan does a lot of fun security-related stuff that doesn't get talked about in public. There's this one thing he does --

But that would be telling.

The next morning, Kaminsky strode to the front of the conference room at Microsoft headquarters before Vixie could introduce him or even welcome the assembled heavy hitters. The 16 people in the room represented Cisco Systems, Microsoft, and the most important designers of modern DNS software.

Vixie was prepared to say a few words, but Kaminsky assumed that everyone was there to hear what he had to say. After all, he'd earned the spotlight. He hadn't sold the discovery to the Russian mob. He hadn't used it to take over banks. He hadn't destroyed the Internet. He was actually losing money on the whole thing: As a freelance computer consultant, he had taken time off work to save the world. In return, he deserved to bask in the glory of discovery. Maybe his name would be heralded around the world.

Kaminsky started by laying out the timeline. He had discovered a devastating flaw in DNS and would explain the details in a moment. But first he wanted the group to know that they didn't have much time. On August 6, he was going to a hacker convention in Las Vegas, where he would stand before the world and unveil his amazing discovery. If there was a solution, they'd better figure it out by then.

But did Kaminsky have the goods? DNS attacks were nothing new and were considered difficult to execute. The most practical attack–widely known as cache poisoning–required a hacker to submit data to a DNS server at the exact moment that it updated its records. If he succeeded, he could change the records. But, like sperm swimming toward an egg, whichever packet got there first–legitimate or malicious–locked everything else out. If the attacker lost the race, he would have to wait until the server updated again, a moment that might not come for days. And even if he timed it just right, the server required a 16-bit ID number. The hacker had a 1-in-65,536 chance of guessing it correctly. It could take years to successfully compromise just one domain.

The experts watched as Kaminsky opened his laptop and connected the overhead projector. He had created a "weaponized" version of his attack on this vulnerability to demonstrate its power. A mass of data flashed onscreen and told the story. In less than 10 seconds, Kaminsky had compromised a server running BIND 9, Vixie's DNS routing software, which controls 80 percent of Internet traffic. It was undeniable proof that Kaminsky had the power to take down large swaths of the Internet.

Secret Geek A-Team Hacks Back, Defends Worldwide Web

(Photo: John Keatley)


  1. I’m still campaigning for Dan to get his own talk show. He’s got the grace and good humor to be the geek Johnny Carson.

  2. I tried to find the DanK soundboard, but it appears to have been taken down. I guess it was the thought that counts.

  3. Sigh. A meeting of executives. It would have gone so much faster if they skipped that part and got on with sending the details to the engineers via encrypted mail.

    Did somebody from Hollywood stage-manage this? It’s gratuitously over-dramatised.

  4. “Sigh. A meeting of executives. It would have gone so much faster if they skipped that part and got on with sending the details to the engineers via encrypted mail.”

    Uh, no. Wrong. Did you read the story?

    “And then, on July 21, a complete description of the exploit appeared on the Web site of Ptacek’s company. He claimed it was an accident but acknowledged that he had prepared a description of the hack so he could release it concurrently with Kaminsky. By the time he removed it, the description had traversed the Web. The DNS community had kept the secret for months. The computer security community couldn’t keep it 12 days.”

    The “executives” you’re criticizing clearly did a great job.

    This was a really excellent bit of writing on the part of Wired’s Joshua Davis, I think. It’s exciting in exactly the same way Bruce Sterling’s Hacker Crackdown book is exciting — thrilling because it’s very clear and everything you hear about is familiar and non-mysterious.

    Hollywood should learn this lesson, everyone who has ever tried or will try to create any fiction that even remotely touches on this topic should learn this lesson: it’s stronger if it’s built from things that are real.

  5. This is a great story, and one that isn’t finished being a story either. Apparently this flaw is still exploitable, and I have network engineer friends who have had to deal with it, recently even. Yikes.

Comments are closed.