So I (and most people who administer a DNS server) had to do massive upgrades this year, due to a problem with the protocol (not with the software).

The basic problem with the protocol is that there query-id in a DNS request field is only 32 bits, meaning 65,535 possible query-ids, and it's trivially easy to pump out fake answers to those queries (which most nameservers will simply discard if they haven't asked for them). Since UDP is connectionless, they're easy to forge.

What's worse, is because of the "birthday problem" (look it up on WikiPedia), you don't even have to pump out all 65,535 query-ids. Meaning I can keep hammering a resolver with fake answers for www.gushi.org, claiming it's at 192.168.x.x, forging my own address to be that of ns.gushi.org.

This was discovered by a nerd named "Dan Kaminsky" this summer, and caused major changes to the way all DNS software works.

The proposed fix (and most people in the field agree it is a kludge) is to instead have your DNS server software also randomize the source-port, and make sure the reply is directed there...

So, I recently had a unique chance while sitting around a vietnamese restaurant with four friends to explain this attack and mitigation in a common sense way.

Like most seedy asian restaurants, the paper placemats had a description of the chinese zodiac. We also came to start discussing the western zodiac. The girl sitting across from me, named Meg -- revealed that she was an aries.

This was roughly statistically accurate with the birthday problem. For four people, in a selection set of twelve, it became increasingly likely that two of us would match (i.e. the fourth person's odds were down to 1 in 9).

However, while we were both Arieses in the Western Zodiac, we did not match in the Eastern Zodiac -- I was a dragon, she a rabbit.

It's a good thing if I ever wind up giving a talk -- "Okay, everyone who is an aries, put your hand up, everyone who's a dragon, keep your hand up".

Simple and easy. No protocol knowledge required.