This paper shows that Windows DNS stub resolver queries are predictable - i.e. that the source UDP port and DNS transaction ID can be effectively predicted. A predictability algorithm is described that, in optimal conditions, provides very few guesses for the "next" query, thereby overcoming whatever protection offered by the transaction ID mechanism. This enables a much more effective DNS client poisoning than the currently known attacks against Windows DNS stub resolver.
fcbad979678328d35c5f23e8e94a9efb78263e2ea3c4b81d3d339f74542d6222