The main DNS security issues have very often focused on server side problems and vulnerabilities. This paper focuses on Windows client DNS service, also called DNS resolver. This paper explains how it is often possible to predict the “Transaction ID” and the “UDP port number” used by Windows’ DNS Resolver. With this information it will be shown how it is possible, under certain conditions, to win the race against the regular DNS server and hijack, for example, a TCP/IP session. Even if this problem has been reported to Microsoft’s security experts and we both agreed that there is no immediate threat or security vulnerability, it may be used to attack Windows LAN and WAN clients for example at startup. In WLAN too, which shares the medium and then is subjected to the well-known DNS attacks based on sniffing, this predictability increases the chances of being effectively attacked.
Microsoft informed me that the concerns mentioned in this paper will be addressed in future versions of its products.