Security researcher Dan Kaminsky has offered more details about a fundamental flaw in the Domain Name System and the extent of the vulnerability.

In a presentation at the Black Hat security conference in Las Vegas on Wednesday, Kaminsky gave details of how a successful DNS cache poisoning attack could be launched by taking advantage of the flaw.

Kaminsky explained that transaction IDs, which are supposed to prevent “bad guys” from assigning their own IP address numbers to any domain, are ineffective as security measures. An attacker could flood a DNS server with multiple, slightly varied requests for a domain, such as “1.foo.com” or “2.foo.com.” As transaction IDs can only be a number between 0 and 65535, and the attacker can launch multiple requests, eventually the attacker could spoof a domain by matching the ID through chance.

Once this domain is spoofed, the attacker can flood a name server with spoofed replies to poison its cache for the domain being attacked–for example, “foo.com.” Requests for foo.com would direct a user to a site of the attacker’s choosing.

This vulnerability can be exploited by using multiple vectors of attack, according to Kaminsky. Web browsers can be forced to look up what the attacker wants, as links, images, and ads can cause a DNS look-up. Mail servers will look up what an attacker wants when performing functions such as a spam check, or when trying to deliver a bounce, newsletter, or bona fide e-mail response.

Kaminsky warned that it is also possible to pollute top-level domains such as .com, .net and .org.