Slashdot Mirror

← Back to Stories (view on slashdot.org)

Network Attacks Via DNS

Posted by timothy on from the operator-please dept.

Iphtashu Fitz writes "Without DNS the internet wouldn't be all that useful. Despite being a ubiquitous part of the internet it is overlooked by many as a potential security hole. At this weekends Defcon 12 conference in Las Vegas, security researcher Dan Kaminsky warned that DNS can open up seemingly secure networks to attack. Because most firewalls and other security devices treat DNS requests as harmless it provides an excellent conduit for transferring covert data in and out of otherwise protected systems. At Defcon, Kaminsky demonstrated some software that allows a server to act as a communications hub using DNS. This let him transmit instant messages and even audio streams over an encrypted connection carried by spoofed DNS requests."

"Because the data looked like typical DNS traffic it wouldn't be detected or logged by firewalls or intrusion detection systems. He also pointed out that monitoring DNS could help in other unrelated ways: because the recent MSBlast worm did lookups on windowsupdate.com infected machines could have been detected by simply monitoring DNS server logs."

14 of 147 comments (clear)

  1. Old news by fred87 · · Score: 5, Informative

    nessus has been pointing this out as a security hole in it's scan results for at least 3 months now...

  2. This is supposed to be 'news'? by fw3 · · Score: 4, Informative

    Layering services over dns has been a discussed topic in books / seminars for at least a decade already.

    --
    Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
    bsds are of course just BSD
  3. Re:TCP or UDP by Anonymous Coward · · Score: 5, Informative

    An interesting property of DNS is that there are servers all over the net which will happily relay your message. Even if your only connection to the net is through application level proxies, you probably have a local DNS resolver. That's all you need. No packet has to traverse the firewall directly.

    They may have used spoofed DNS packets just to bypass a firewall, but information can also be tunneled in real DNS packets, so even if you only allow DNS to/from certain servers, you're still not safe from this leak.

  4. 90% of the internet is valnerable ... by after · · Score: 4, Interesting

    to somthing called DNS poison. Why? Because system administrators are anal and fail to realize that software like BIND is not written to be secure. Hell, DNS was not even designed for such a large internet. The original DNS implementors were bad programmers and designers.

    BIND9... don't get your hopes up. The BIND company sells paches for their software. Meaning that if you don't pay them money then you're going to be running an errornouse DNS server.

    Still most people use BIND for two reasons: no one wants to learn the crusty details of DNS and 2) Linux comes with BIND as it's default name library.

    Alternative like djbdns should be used.

    1. Re:90% of the internet is valnerable ... by shepd · · Score: 4, Informative

      >ufortunately, djbdns is not open-source.

      Incorrect, it is open source.

      It isn't GPL.

      There's a big difference.

      >Until a true open source alternative to BIND appears, we're stuck with it.

      By "true alternative" do you mean it has to be GPLable?

      Get real. djbdns' source is 100% available for you to look at and patch to your hearts content. If you find an error, send a fix to DJB and he'll add it after review. He'll even give you $500 as a reward for your hard work. Find me a GPL program that makes an offer like that.

      Now, if he doesn't like your patch, you can post the patch on the internet. You can even put it alongside the source. You can even make an autopatch program that will patch djbdns during make so that dumb users can handle the process

      For the disbelievers, here's the source code.

      Here's bernstein's statement about the freedom of his software. Feel free to print it out and sign it if you're insane on the idea he can revoke your license.

      --
      If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
  5. helpful by Scythr0x0rs · · Score: 5, Funny

    some good people could break into the nameservers of a large ISP such as AOL and send out spoofed NS records for update.windowsupdate.com or whatever it is and deploy linux to all windows users.

    Warning: this update may require a reboot.

  6. Irrelevant^2 by warrax_666 · · Score: 4, Insightful
    The $500 security guarantee is utterly irrelevant. (Btw: Who gets to judge what is a security problem? That's right, DJB himself. If that doesn't tell you something, then you're not the sharpest tool in the shed).

    The $500 correpsonds to less than 50 hours at $10 an hour (being extremely generous with the hourly wages here, in favour of the "gaurantee"). Do you think anyone can audit the djbdns source code -- even ignoring the fact that it's largely uncommented and messy (#define, what's that?) -- in 50 hours? No, I didn't think so.


    BIND is open source, but that doesn't make it safe and secure. it's probobly more insecure just because of that.

    BIND may be Open Source (note capitalization) while djbdns isn't. That doesn't mean you can't get source for djbdns. In fact it's probably easier to get source than binaries for djbdns because of the unbelievably stupid djbdns license.

    So they are both equally "insecure" from that perspective.
    --
    HAND.
  7. Cheating Wireless networks by technothrasher · · Score: 5, Insightful
    I've noticed in the past that many of the public wireless networks that want you to pay to use allow DNS traffic to flow even before you've paid. I've often thought that'd you could use that to build a tunnel and not have to pay for service.

    Mind you, I've never done it because it would be kind of rotten, but it did cross my mind.

  8. Re:TCP or UDP by digitalhermit · · Score: 5, Interesting


    They may have used spoofed DNS packets just to bypass a firewall, but information can also be tunneled in real DNS packets, so even if you only allow DNS to/from certain servers, you're still not safe from this leak.

    Yup, and that's not the half of it. With the extensions being duct-taped onto the existing spec it makes it easier and easier to do this. I've seen some hacks to allow all sorts of arbitrary information to live on the servers, some relayed automatically because of the extensions, some used to modify how mail servers respond, some even for routing. It's nothing new (remember transferring data via ICMP ECHO?) but it's on a new level now.

    KL

  9. Harmless? by jjeffrey · · Score: 5, Insightful

    I don't think that networks allow DNS because it is harmless, but because it is necessary, that's an important distinction.

  10. That's why you use proxies! by wowbagger · · Score: 5, Informative

    That is why any GOOD sysadmin will set up the system so that there is a single DNS server for the plant, and that server and that server alone is allowed to send and receive DNS packets to the greater Internet - all other machines are to use the local DNS server.

    Not only does this GREATLY reduce the amount of DNS traffic a shop produces (by caching all requests locally) it helps prevent this sort of foolishness by requiring all packets to be well formed DNS packets - else the server drops them.

    Then, you can block any client that makes more than a few requests a second.

    Yes, it is easier to set up a firewall to be very porous to outbound traffic, but it is more secure to deny all direct access, and force clients to run through proxies for the various services.

    --
    www.eFax.com are spammers
  11. Duh... by blixel · · Score: 4, Funny

    That flaw in most firms' network security leaves a vulnerability that can be used by hackers to sneak intellectual property outside a company, communicate with a compromised server inside the company,

    In other security news alerts, there was a major hole disocvered in SSH. It turns out if a hacker installs a rogue SSH daemon on the server, he can do nefarious things with it.

  12. "without DNS" = LDAP by Anonymous Coward · · Score: 4, Interesting

    Note that LDAP is fully capable of doing host name resolution, there's even an RFC for it (AFAIK the one that specifies how to store POSIX user info also specifies how to store host names).
    And in fact, DNS can be used for user details via Hesiod.

    Both LDAP and DNS are hierarchical federated database systems. Personally, I find current LDAP implementations to be more manageable, better designed, and generally nicer (can set very fine grained permissions) than current DNS implementations. A name system based on LDAP rather than DNS would be fully feasible and IMHO as or more globally scalable.

    But we must distinguish between DNS-the-protocol and DNS-the-implementations - It would be possible to have the same piece of software answer both DNS and LDAP queries from the same database. Hey, hello Microsoft Active Directory! But MAD is nasty for other reasons - so where are the Open Source projects to provide a slapd plugin for DNS protocol lookup to openldap databases? It should actually be pretty simple, maybe it's so simple no-one is interested hacking on it....

  13. How about this : OpenVPN over UDP port 53 ie. DNS by anti-NAT · · Score: 5, Interesting

    Thought of this almost two years ago. Run OpenVPN over UDP port 53. I figure a fair number of firewalls may not analyse UDP DNS traffic to see if it actually is UDP DNS traffic. Haven't had a chance to try it out though.

    Thinking big picture, you realise that once opportunistic IPsec becomes available, and with IPv6 it will be, any device in the network trying to interpret traffic, such as firewalls and proxy servers, will become just about useless.

    --
    The Internet's nature is peer to peer - 20050301_cs_profs.pdf