Re:How does this work? (Score 5, Informative)

From memory, classic DNS poisoning goes something like the following:

1. Pick any DNS server which isn't authoritative for the domain which you wish to poison with the IP of your choosing. Something like your ISP's DNS server will work nicely.
   
2. Send a legitimate DNS request to the server for a domain which is authoritative under a server you are in control of, and which your choosen server (and any in-between it and your own server) won't already have in its cache.
   
3. When the request for the domain comes into your server, you have the sequence number which originated from your target DNS server. The idea with this sequence number is that your reply to the originating server contains the number, and hence the server knows which request is being replied to. Here is where the vulnerability comes in.
   Earlier versions of BIND use sequential sequence numbers in each request; nowadays pseudo-random numbers are used. What we're really after here is the next sequence number, or at least an idea of what it might be. In the case of sequential numbers, you have a rather small range of next sequence numbers. If your pseudo-RNG isn't cryptographically secure, it's possible to guess the next number in the sequence (for which you might want to make a few legitimate requests to your target server to observe the sequence).
   
4. Next up, make a request to your target server for the domain which you want to take control of. For this to work, your target DNS server must send out a further request for this domain. Since you have an idea of the sequence number which has been sent out with this request, you can now start flooding the target DNS server with false replies.
   
5. The ultimate goal is that you will hit the correct sequence number with your false reply before the legitimate reply comes in, hence poisoning the DNS. Further requests to your target server within the record timeout (which you may specify yourself in your false replies, so they can last quite a while) will be replied to with a cached version containing your poisoned IP.
   
6. Watch the requests come in for the content to your own IP, serve up appropriately.