Metasploit DNS Exploit Under Development

Unless you are living under a security rock, you've probably heard that details of Dan Kaminksy's multi-vendor DNS vulnerability were inadvertently leaked.  If you don't know what this is about, you can read about it here.  Unfortunately, it's going to get worse.

Many sources, including Dan's Doxpara Research blog are calling for immediate patching of all recursive DNS servers, and for good reason.  The cat's out of the bag and it's a very ugly cat.

Today I've seen a number of check-ins on Metasploit's public Subversion repository that indicate that they are most likely working on a public exploit for the vulnerability (see here, here, and here).  They were all checked in about 6 hours ago now.  Checked in comments include "Adds a helper service for finding a DNS server's source port", and "Raw IP socket support for Rex. Guess what this is for :-)"

This means that soon anyone with access to the unpatched recursive servers you use (or may use upstream) may soon have access to easy to use public exploit code that will let them change any DNS entry to point to any IP they wish.

In addition to making sure your recursive DNS servers are patched, if you use forwarders, make sure those are patched too - and soon.

Update: The exploit module is now available.