[kwlug disc.] DNS security threat

[Steven Stillaway]

If your internal DNS is set to only allow recursion for internal IP's  
via the 'allow-recursion' option, then I believe it would be  
impossible for an attacker to poison your cache since the only values  
that would be entered into your cache would be ones that you are  
authoritative for and ones that were added because of a query from one  
of your internal IP's.

Of course this assumes that you trust all of your internal IP's.

I don't guarantee this, but it should do the trick.

Having said this, I add two things.

You should update your DNS anyways.  All Vendors should be providing  
patches (although I have heard the MS Patch is buggy).

You should always only allow recursion to your internal IP's -- do you  
really want to be a DNS server for anyone who happens to stumble along  
and scan your port.

- Steven

On 1-Aug-08, at 10:12 AM, john at netdirect.ca wrote:

>
> kwlug-disc-bounces at kwlug.org wrote on 08/01/2008 09:27:39 AM:
>
> > Is that correct, about running an internal DNS?  Because that's  
> exactly
> > what I do (DNS on local server, behind my home router/firewall.  It
> > serves to the public only my domains and serves the internal network
> > with any domain).  Yet the testing tool shows my DNS as being  
> unsafe.
> > It's not clear to me, because it's not even clear to me what the  
> exploit
> > is - unsure if they've even released this.
> >
> > Is there patches available for the common DNS packages like bind?
>
> Here's a reference http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
>
> The gist of it is this:
>
> DNS poisoning is where a third party adds cache entries to your name  
> server. Ideally it would be important NS entries like .on.ca or an  
> Address entry like www.royalbank.com. These entries direct the name  
> server or a user of the name server to the attacker's server. This  
> give the attacker the ability to send back more false information.  
> In the case of a web site it could be a false-front intent on  
> getting you login name and password. In the best case the user would  
> notice that their bank site is not encrypted as it usually is and  
> would avoid entering the information.
>
> DNS poisoning is not new, it's been around for a while, attackers  
> are just finding new ways to inject spoofed data into name server  
> caches. This particular way sees the attacker sending the victim's  
> server a spoofed response. The attacker needs to know two things to  
> do this, the source port and the Query ID. Both are 16bit numbers  
> and if both are random the attacker would have to guess the correct  
> combination of a potential 2 billion possibilities. The problem is  
> that the numbers aren't random enough. The random number generator  
> in Linux is reasonably predictable and some DNS servers don't  
> randomize the source ports enough.
>
> I believe the best attack is to trick a user or a server into  
> sending several queries to an attacker's DNS server. The attacker  
> looks at the series of responses, each with a different port/TXID  
> combination and tries to predict the next combination and sends a  
> spoofed response. If the attacker is successful he/she should see a  
> user access his systems. This attack can be spread across a million  
> systems in an attempt to gain a very small percentage of hits.
>
> I would say that you should upgrade your dns server to a version of  
> bind that has a P1 in the version. Or you can switch to a more  
> secure one like DJBDNS or use an external service like OpenDNS or  
> use a firewall/security device that more securely NATs or proxies  
> DNS requests._______________________________________________
> KWLUG-Disc mailing list
> KWLUG-Disc at kwlug.org
> http://listserv.kwlug.org/mailman/listinfo/kwlug-disc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://listserv.ccjclearline.com/pipermail/kwlug-disc/attachments/20080801/9cf8220c/attachment.htm