Security Now 1049: DNS Cache Poisoning Returns
TWiT.tv | Hosted by Leo Laporte & Steve Gibson | October 29, 2025
Overview
This episode, titled "DNS Cache Poisoning Returns," revisits one of the internet’s oldest and most serious security challenges: DNS cache poisoning—an issue many thought resolved after a major fix in 2008. Host Leo Laporte and security expert Steve Gibson dive deep into recent vulnerabilities resurfacing in major DNS resolvers, dissect the technical failings that led us back here, and cover a sweep of major security news including smart device privacy, ransomware trends, regulatory shakeups, and password policy debates. The episode’s tone remains relaxed, insightful, and often wry, demonstrating both hosts’ rapport and Steve's signature mix of exasperation and expertise.
Key Discussions and Insights
1. The Return of DNS Cache Poisoning (Main Topic)
- Summary: A critical vulnerability has been re-identified in BIND and Unbound DNS resolvers, two of the internet’s most popular software, due to weak random number generation—a foundational mistake fixed 17 years ago but now back in the spotlight.
- Context: DNS cache poisoning attacks allow adversaries to redirect large swathes of internet traffic for credential theft, phishing, and more by injecting fake DNS records into resolvers' caches.
- Why Now?: Recent CVEs (CVE-2025-4778 and 4780) highlight logic errors and poor pseudo-random number generation, letting attackers predict query parameters and spoof responses as in the pre-2008 era.
- Expert Take: Steve is visibly frustrated that such elementary randomness flaws exist in 2025, especially given DNS resolvers sit “in a blizzard of entropy.”
"No device on any busy network has any business having a weak pseudo random number generator. It is just unconscionable." — Steve Gibson (1:52:23)
How Cache Poisoning Works (Explained) [1:36:00–1:44:30]
- DNS relies on UDP, which is unauthenticated.
- Attackers time requests to align with cache expiration, then flood the resolver with spoofed responses.
- If an attacker guesses the right port and transaction ID, they can inject a fraudulent IP address.
- Without proper randomness (for both port and query ID), attacks become trivially feasible.
The Old Solution and Its Failure [1:44:31–1:48:10]
- The 2008 fix: Use strong randomness for ports and query IDs to make spoofing infeasible.
- Current failures stem from PRNGs that remain predictable or ill-seeded.
2. Smart Vacuums and In-Home Privacy [13:19–23:23]
- Incident: A user discovered their iLife A11 smart vacuum was secretly mapping their home and sending the data back to the manufacturer; when outbound traffic was blocked, the company remotely bricked the vacuum.
- Technical Details:
- Vacuum ran Android with open debugging ports.
- Company used a remote 'kill switch' triggered after data collection was blocked.
- Bigger Issue: Many "dumb" IoT devices grant manufacturers root access to your home network and may leak Wi-Fi credentials.
"Any connected device will be providing the entities that designed the device with full access behind the network’s router to the internal residential network to which the device is authenticated." — Steve Gibson (28:29)
3. Ransomware Trends and the Backup Reality Check [73:03–77:14]
- Coveware Report: Only 15% of organizations that believe they're prepared to recover from ransomware actually succeed; meanwhile, ransomware payment rates fell below 25%—down from 85% six years ago.
- Insight: Many organizations overestimate backup effectiveness; even those refusing to pay find they can’t actually restore their systems.
- Technical Entry Points [82:05–89:30]:
- Most attacks start via three vectors: remote access compromise, phishing/social engineering, or unpatched vulnerabilities.
- Attackers increasingly blend social engineering with technical exploits.
4. Security Regulation Expands Globally [32:27–47:30]
- Russia & China’s Vulnerability Laws: Both require all security researchers to disclose vulnerabilities to the state, feeding offensive cyber operations.
- EU Digital Services Act (DSA) Enforcement:
- Meta, Facebook, and TikTok face scrutiny and fines up to 6% global revenue for making user reporting and research too difficult.
- Trend: The wild-west internet is ending; strict, sometimes protectionist, regulation is the new norm.
5. Password Policy: The NIST Debate Continues [53:53–131:03]
- Listener Feedback: Large volume of user emails offered perspectives both supporting and opposing frequent password changes.
- NIST’s Updated Guidelines (Read by Steve, 2:03:55):
- Minimum 15 characters for single-factor, 8 for multi-factor.
- No enforced periodic password changes unless breach detected.
- No password hints, no security questions.
- Support for long (64+ char) and Unicode passwords.
- Steve’s Philosophy: Focus on long, unique passwords (via managers), and don't punish users with unnecessary rotation.
"Harassing users for no good reason causes users to hate security." — Steve Gibson (129:33) "Adopt the NIST guidelines and be invited to parties!" — Steve Gibson (175:25)
Notable Quotes & Memorable Moments
- On DNS Security Failings:
- "You need entropy in order to have security." — Steve (1:49:55)
- "An objective observer could be forgiven for concluding that some things appear to be difficult to get right." — Steve (1:35:50)
- On IoT & Privacy:
- “Essentially, any device that’s connected to a network ... could very well be leaking [Wi-Fi] credentials back to the device’s home servers.” — Steve (23:23)
- On Ransomware Overconfidence:
- “95% of respondents are confident in their ability to recover ... Only 15% of those confident were actually able.” — Steve (73:08)
- Listener Voices:
- On password policy: “For my Brownie baking blog, no change necessary; for my millions, maybe quarterly; for my trillions, monthly; and for the nuclear codes, weekly.” — Listener CJ (101:29)
- On user rebellion: "[If] you cannot use your last 10 passwords ... it would take 20 days to get back to your original password, which you probably forgot by then anyway." — Listener (95:53)
Timestamps for Important Segments
| Topic | Timestamp | |---|---| | Smart Vacuum Privacy & Security | 13:19–31:45 | | Russia/China Security Vulnerability Laws | 32:27–47:30 | | Ransomware Trends & Coveware Report | 73:04–77:14; in-depth 82:05–90:28 | | NIST Password Policy & User Feedback | 53:53–131:03 | | DNS Cache Poisoning Explained | 1:35:50–1:52:23 | | Pseudo-random Number Generation Deep Dive | 1:52:23–1:57:14 |
Additional Topics & Listener Q&A
- Microsoft Teams adds Wi-Fi location tracking (68:41–73:03)
- Discussion on legal and privacy ramifications of regulatory changes.
- Listener Q&A on password policies, F-Droid app downloads, and the future of Security Now.
Steve’s Parting Words
“Adopt the NIST guidelines and be invited to parties!” (175:25)
Useful Links
- GRC DNS Spoofability Test
- Coveware Ransomware Q3 2025 Report: coveware.com/reports/ransomware-q3-2025
- Ars Technica’s Article on DNS Vulnerabilities: arstechnica.com/information-technology/2025/10/dns-cache-poisoning-returns
Summary by Security Now Podcast Summarizer — For technical professionals and thoughtful laypeople who missed the episode, or want a quick yet deep review of Steve and Leo’s essential security insights.