[kwlug disc.] DNS security threat

john at netdirect.ca john at netdirect.ca
Fri Aug 1 10:48:10 EDT 2008 

kwlug-disc-bounces at kwlug.org wrote on 08/01/2008 09:22:05 AM:

> Paul Nijjar wrote:
> You NAT won't make any difference whatsoever.  NAT only makes things
> more complicated if the DNS server is behind a one, because the DNS
> 'patch' on the DNS server can no longer randomize the port at which the
> DNS server tries to do it's magic.

Isn't complication what we require here. The DNS poison attack relies on 
guessing the TXID and the source port number. If the source port number 
stays the same then the attacker has to guess one of 65,000 in order to 
poison. With port randomization as well, it multiplies the problem.

Couldn't NAT provide some of that complication?

> I would just install Bind on a local machine of my network and use that
> as my DNS server.  It's much faster and more reliable than Rogers
> overloaded systems, and even if you don't update, as long as you are
> behind a firewall, this attack is effectively neutered..  (To be more
> precise, the attack would have be launched from a PC within your
> network, directed at a DNS server the attacker doesn't even see from
> outside your network.  Though theoretically very possible, I'm not
> seeing this as a likely in wild method.  In any case, all distros
> currently maintained have had a patch for weeks!)

Isn't one of the attack vectors where an attacker would "trick" your name 
server into resolving a name for it. Say by sending an email with an URL 
reference, or phish someone to a web site with a remote image, or any 
other way? Then the attacker tries to send back a poisoning responses from 
it's DNS server? It would have a small chance of working but if an 
attacker does that to say 65,000 systems one could be a hit. Replicate 
that over and over to a base of a million systems and it could find enough 
success to justify the attack.

With this vector the server could be firewalled. The attacking DNS server 
could simply send enough response traffic to keep the NAT connection 
alive, indefinitely. This is assuming there isn't a mechanism in NAT or 
bind or an NIDS to shut down an attacker.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://listserv.ccjclearline.com/pipermail/kwlug-disc/attachments/20080801/10542b92/attachment.htm

More information about the KWLUG-Disc mailing list