[kwlug disc.] DNS security threat

Fri Aug 1 11:12:59 EDT 2008

kwlug-disc-bounces at kwlug.org wrote on 08/01/2008 09:27:39 AM:

> Is that correct, about running an internal DNS?  Because that's exactly 
> what I do (DNS on local server, behind my home router/firewall.  It 
> serves to the public only my domains and serves the internal network 
> with any domain).  Yet the testing tool shows my DNS as being unsafe. 
> It's not clear to me, because it's not even clear to me what the exploit 

> is - unsure if they've even released this.
> 
> Is there patches available for the common DNS packages like bind?

Here's a reference 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447

The gist of it is this:

DNS poisoning is where a third party adds cache entries to your name 
server. Ideally it would be important NS entries like .on.ca or an Address 
entry like www.royalbank.com. These entries direct the name server or a 
user of the name server to the attacker's server. This give the attacker 
the ability to send back more false information. In the case of a web site 
it could be a false-front intent on getting you login name and password. 
In the best case the user would notice that their bank site is not 
encrypted as it usually is and would avoid entering the information.

DNS poisoning is not new, it's been around for a while, attackers are just 
finding new ways to inject spoofed data into name server caches. This 
particular way sees the attacker sending the victim's server a spoofed 
response. The attacker needs to know two things to do this, the source 
port and the Query ID. Both are 16bit numbers and if both are random the 
attacker would have to guess the correct combination of a potential 2 
billion possibilities. The problem is that the numbers aren't random 
enough. The random number generator in Linux is reasonably predictable and 
some DNS servers don't randomize the source ports enough.

I believe the best attack is to trick a user or a server into sending 
several queries to an attacker's DNS server. The attacker looks at the 
series of responses, each with a different port/TXID combination and tries 
to predict the next combination and sends a spoofed response. If the 
attacker is successful he/she should see a user access his systems. This 
attack can be spread across a million systems in an attempt to gain a very 
small percentage of hits.

I would say that you should upgrade your dns server to a version of bind 
that has a P1 in the version. Or you can switch to a more secure one like 
DJBDNS or use an external service like OpenDNS or use a firewall/security 
device that more securely NATs or proxies DNS requests.-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://listserv.ccjclearline.com/pipermail/kwlug-disc/attachments/20080801/049f07be/attachment.htm