Let's be charitable and say that every single one of those is connected to the internet 24x7 and they love microsoft so much that they visit the url every hour, so 24 times a day. To get even more accommodating, let's imagine every single computer in the world has a single bit error occur every hour as well, right before they head to microsoft.com.
In that case you'd expect about 3 hits a day.
I'm sure it can happen, but I'd be surprised if most of the traffic wasn't caused by other things. I can't be the only one who noticed in mic2osoft.com the number 2 is only two keys away from r. It may not be the most common typo in the world, but I bet the odds are a lot higher than 1 in 8.5 billion.
I almost think it's an inside joke, Kaminsky sounded just a wee bit too blown away while he was raving about the presentation last night. Or maybe that was just the booze tallking.
Also, the dns client is waiting for an address for the host that it requested. If it asks "where is alice?" and the dns server replies "bob is at x.x.x.x" it won't go there because the names don't match. So the error pretty much has to have happened on the client, but it could be a disk error, dma glitch, bug, malware or maybe a bad proxy/firewall.
Regardless, this is ever more reason to use something like TLS to initiate a trusted identity with another party. Even in the null cipher case, it's useful to exchange a certificate.
edit: I found some more recent numbers via [2]. Relevant quote: "Our first observation is that memory errors are not rare events. About a third of all machines in the fleet experience at least one memory error per year (see column CE Incid. %) and the average number of correctable errors per year is over 22,000. These numbers vary across platforms, with some platforms (e.g. Platform A and B) seeing nearly 50% of their machines affected by correctable errors, while in others only 12–27% are affected. The median number of errors per year for those machines that experience at least one error ranges from 25 to 611." They were using server-class machines with ECC.
[1] http://sip.cs.princeton.edu/pub/memerr.pdf
[2] http://www.cs.toronto.edu/~bianca/papers/sigmetrics09.pdf
But the sheer number of operational computers probably means that the likelihood that at any given moment this is impacting someone's DNS query is probably fairly high.
The likelihood of a bit-flip is very uncommon. Even taking into account the volume of computers out there, the likelihood of a bit-flip at the exact spot (in the domain name) and moment of a DNS lookup (before the checksum is calculated) is astronomically uncommon. This article is garbage.
Scenario 1) Lets say we have normal Windows computer asking what is update.microsoft.com as an A-record. The computer's resolver sends its request to its ISP's DNS server it was assigned via DHCP. One bit is flipped on transit and the DNS server receives request to resolve update.mic2osoft.com and it does so. Then it returns the result via UDP telling the Windows computer that update.mic2osoft.com is 1.2.3.4, but the computer's resolver was expecting an answer for update.microsoft.com so it rejects(should reject) the result even though the transaction ID is what it expected. Also UDP checksum poses a problem the recursor could reject the packet and not do anything.
Scenario 2) Another scenario is where the bit corrupts on transit while the ISP's DNS recursor is querying the Verisign .com root servers for microsoft.com (assuming it's not cached) and one bit corrupts in transit. Verisign's server answers that mic2osoft.com DNS servers are ns1.mic2rosoft.com and ns2 and it provides the glue records for them (IP addresses) if necessary. DNS recursor receives an answer for mic2rosoft.com while it expects answer for microsoft.com and rejects the result before querying nsX.mic2rosoft.com. UDP checksum also a problem here.
Scenario 3) Bit flip on the Windows computer's RAM before gethostbyname() is called so they call gethostbyname(update.mic2osoft.com). Another timeframe for a successful bitflip is while the OS is running gethostbyname(update.microsoft.com) but before the request is sent. gethostbyname() only returns the IP address so the function caller will not know if its wrong. This is the most plausible scenario, ECC is also rare in consumer hardware so that shouldn't pose a problem.
Scenario 4) Bit flip on the DNS recursors RAM. This depends on whether the address to be queried is stored in several variables in the DNS server so the DNS answer packet to the Windows computer has the correct FQDN but the DNS server queried for the wrong address due to the bit flip. Servers usually have ECC so this is implausible but not impossible. Also if this happened, the DNS server's cache could also get the incorrect entry and give it out to many many many clients if it was a popular ISP's DNS server.
An interesting thought would be what if IP-addresses bit-flipped. If Microsoft had all their update servers in 80.100.2.0/24 and an attacker owned 16.100.2.0/24 with one bit flipped. How much traffic would the network receive? If bit flipped on transit while the server is returning answer for update.microsoft.com UDP checksum should be incorrect but what if a popular ISP's DNS recursor's cache had a flipped IP address for update.microsoft.com. Very implausible but would result in lot of traffic.
One more scenario comes to mind about IP bit-flipping. If ns1.microsoft.com was at 5.1.1.1 and an attacker owned 1.1.1.1 he could also configure his DNS server (more specifically the UDP stack on the Linux kernel) to ignore the invalid UDP checksums and serve falsified DNS answers.
Seems like the author's DEFCON speak will be held next Sunday, he probably knows much much more about the subject than what I just wrote. I will definitely read his slides/whitepaper.
