This paper shows that Windows DNS stub resolver queries are predictable – i.e. that the source UDP port and DNS transaction ID can be effectively predicted. A predictability algorithm is described that, in optimal conditions, provides very few guesses for the “next” query, thereby overcoming whatever protection offered by the transaction ID mechanism. This enables a much more effective DNS client poisoning than the currently known attacks against Windows DNS stub resolver.
You can download it from the following link: https://packetstormsecurity.com/files/download/65337/Microsoft_Windows_resolver_DNS_cache_poisoning.pdf
Source: https://packetstormsecurity.com/files/65337/Microsoft_Windows_resolver_DNS_cache_poisoning.pdf.html