[kwlug disc.] DNS security threat
Rashkae
rashkae at tigershaunt.com
Fri Aug 1 10:22:05 EDT 2008
Paul Nijjar wrote:
>
> One big problem appears to be NAT -- even if the upstream DNS server
> is okay, the way that NAT deals with ports can screw things up again.
> I am worried about this because our IPCop box is doing NAT.
You NAT won't make any difference whatsoever. NAT only makes things
more complicated if the DNS server is behind a one, because the DNS
'patch' on the DNS server can no longer randomize the port at which the
DNS server tries to do it's magic.
> As of right now my runs on doxpara.com are still returning that Rogers
> is vulnerable. Could somebody else who is on Rogers (and maybe who is
> not using NAT) verify this? I have been trying to track down
> confirmation on the web but I keep getting results about the Rogers
> decision to redirect bad DNS connections to advertising pages instead.
>
I would just install Bind on a local machine of my network and use that
as my DNS server. It's much faster and more reliable than Rogers
overloaded systems, and even if you don't update, as long as you are
behind a firewall, this attack is effectively neutered.. (To be more
precise, the attack would have be launched from a PC within your
network, directed at a DNS server the attacker doesn't even see from
outside your network. Though theoretically very possible, I'm not
seeing this as a likely in wild method. In any case, all distros
currently maintained have had a patch for weeks!)
More information about the KWLUG-Disc
mailing list