Slashdot Mirror
DNS Cache Poisoning Update
dhammabum writes "Todays SANS internet storm handler has put up an excellent update of the DNS poisoning vulnerability currently doing the rounds. The main points are that only Windows DNS servers are vulnerable (degrees of vulnerability depending on patch level), provided you are not running an ancient version of bind. Also bind4 and bind8 do not clean poisoned caches if they receive them from a poisoned Windows DNS server but bind9 does."
In the interest of promoting discussion, there is a good definition of DNS poisoning here, and a longer explanation/rant regarding DNS poisoning here.
____
~ |rip/\/\aster /\/\onkey
The InfoCon is currently set at psychadelic purple-green in response to the realization that Windows is still insecure, even now that Longhorn has been out for nearly 3 years, and has reached service pack 23. We originally went to psychadelic purple-green because we were uncertain of the mechanisms that allowed seemingly "secure" systems to be vulnerable to this issue. Now, however, we know of the mechanisms--Microsoft still makes shitty products, and Windows is still buggy and vulnerable.
In other news, water is wet.
Ironically, that same update describes Comcast's nationwide problems that started last night (US Time) and says it was caused by an equipment upgrade and not related to the DNS Cache poisoning. BUT, the problem was not network connectivity, but the DHCP's DNS Servers became unavailable. Read more at DSLReports and (from first hand experience), the work-around was fairly easy which was to manually specify the DNS server, rather than use the DHCP'd one. Comcast says it was resolved about two hours ago - scroll down to the bottom of the page.
Thanks for the update there, Zonk! MS DNS, BIND4 BIND8 are insecure.
Who knew? Truly, "stuff that matters".
Somehow, I just knew Windows was at the root of the whole thing...
The difference between spam and poop is that you don't have to dig through septic tanks looking for real food. -- Me
...at least, according to this link from the lwn.net security page.
"If you don't like windows don't use it"
Or then telling me, when they find out I don't use it, that I've somehow forfeited the right to complain about it anymore; or trying to hold Microsoft blameless for their security holes because the people who run Microsoft software do so by "choice" so its the users own fault, and they are just hurting themselves.
But then I keep finding that despite not using Microsoft software, I get negatively impacted by it anyway. Because the Code Red slaves on the network are bombarding me with a constant light DOS looking for that index server or whatever. Because I get bombarded with email viruses and spam from zombie PCs which, while harmless to me, make my email account less useful. Because my DNS server is running Windows.
Lovely.
So, look at this. I am being materially negatively impacted by a company whose products I don't even buy. How, exactly, is the invisible hand of the market going to help with this?
I wonder if this is the reason Comcast's DNS servers all took a gigantic shit yesterday.
Last night I couldn't reach google, comcast.net (my GF's email[although I warn her everyday about relying on ISP-based email{lock-in and all that...}]), yahoo, and a number of other sites. Strangely, Happypenguin, slashdot and sourceforge all worked just fine. I figured it must have been dns issues and kind of assumed it was this poisonning that's been happenning. Needless to say, it was annoying as hell. Add to that; 800-comcast and 888-comcast were giving fast busy signals, so their call center was being DDOS'd by a swarm of angry customers.
put the what in the where?
Comcast has had numerous issues with virus hitting their servers. Basically, every time that major new virus comes out, comcast gets hit; Big. They forced even the ATT/TCI unix servers over to Windows (in spite of much higher costs), so that the entire network takes it in the short.
I prefer the "u" in honour as it seems to be missing these days.
Damn you daypass people, I have a UID half yours and I have yet to get a frikkin' daypass.
Go ahead! You know you tasteless bastards are gonna do it anyway.
this is a test
Could it be coincidence that Comcast is currently experiencing DNS issues? Probably.. but it makes me wonder.
Speak truth to power.
" The main points are that only Windows DNS servers are vulnerable " And the sun is really hot! -- Windows is like a teenage girl in America, you never know what you're going to get!
WARNING: DO NOT LET DR. MARIO TOUCH YOUR GENITALS. HE IS NOT A REAL DOCTOR!
From the article:
"On Windows 2000 SP3 and above, the DNS server DOES protect against DNS cache pollution by default. The registry key to protect against the poisoning is not necessary: the value is TRUE if the registry key does not exist"
In other words, many or most 2000 installations should be secure against pollution if their admins posess the slightest clue.
"Windows DNS --> forwarding to BIND4 or BIND8. Windows DNS server assumes that BIND scrubs out the poisoning attempt. BIND4 and BIND8 do NOT appear to scrub the attack. Windows DNS trusts the data and the Windows DNS cache will become poisoned."
So much for "only affects MS servers" although the article does mention, and plays down ("ancient versions") the bind4/8 vulnerabilities.
I'm left wondering how many admins have their dns servers in forwarding mode, and how many of those are forwarding to bind4/8 servers? Very few, I'd think.
It's important to note, from what I've understood of it so far, that this exploit only affects the "MS server forwarding it's requests to a bind4/8 server" scenario which I would think, would be a pretty negligible number of DNS servers?!
Another interesting thing that caught my eye, was "On Windows 2000, you should manage the DNS cache protection security setting through the DNS Management Console. On Windows 2000 below SP3, the "Secure cache against pollution" is not the default so you should enable it using the DNS Management Console.
An admin who didn't already do this is dumb beyond belief, hardly a MS problem! Blaming it on MS is akin to blaming Ford if you forget to lock the door on your car. If you're a DNS admin and didn't think to check your configuration for this very old vulnerability it's time you hung up your admin hat!
For the record, I'm no more a fan of Windows than I am of *nix - but how much you wanna bet this post'll raise 80% MS bashing comments, 10% "funny" comments, and maybe 10% useful DNS Admin comments?
I was happly using my Dual 2 Ghz and 30" screen when all sorts of nasty things happened. Which is a rarity for us Mac users as you all know.
1: Netstat hung process
2: Mail hung
3: Finder reboot wouldn't load menu bar
Nothing worked until I actually changed my network settings, then everything cleared up. I jumped on my 56k and chatted with Comcast after waiting almost a hour.
I simply said "What happened, something big?"
Comcast: "Yes we know, all our DNS servers are down"
http://homepage.mac.com/hogfish/PhotoAlbum2.html
DNS poisoning?
What DNS poisoning?
Isn't this www.NerdsMeetingExcitingGirlsOnLine.org?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
If we were really dealing with an ideal 'invisible hand' at work, the smart, money-saving people would leave 'the' internet and start their own security-required network, which would quickly become the larger network and regain the distinction as 'the' internet, thereby forcing everyone on the 'old' internet to get secure in order to join up. But that doesn't happen, does it. Sadly, the invisible hand is only good at two things, truly open marketplaces, and giving you the finger.
"I offer $500 to the first person to publicly report a verifiable security hole in the latest version of djbdns."
(djbdns being the software written by the author of the "rant" above.)
Now if only MS were so generous. ^_^
actually crapcasts problem was fixed about 13 hours ago as of right now.
Thats what you get when an entire isp uses a single pair of dns servers in denver for the entire country.
janitor: (hey whats THIS wire for!)
It's an externality. The invisible hand of the market isn't going to fix things for you
What I say does not represent the views of my employers, my friends, my cats, or myself.
Here is a good explanation at security focus
http://www.securityfocus.com/guest/17905
Nobody loves me :(
Even if you are already running Bind 9, you should consider reading Rob Thomas' Secure BIND Template for how to best configure bind.
Why is anyone still using Bind 4? Is there any justifiable reason for doing so other than sheer stupidity or laziness?
Conformity is the jailer of freedom and enemy of growth. -JFK
Is it something you don't get if you make enough inflamatory posts?
This space is intentionally staring blankly at you
djbdns dvides what BIND does into two entirely separate programs. One, tinydns, is authoratitive for its specific domains and nothing else. It might even drop all requests for anything else, I am not sure. The second program, dnscache, queries other, authoratative, name servers, and returns complete dns lookups. It will only query authoratative name servers; it will discard responses that are not authoratative.
... suppose you look up www.yahoo.com. You should start by asking the root servers for com, choose one of them to ask about yahoo, choose one of them to ask about www.
DJB makes a big point in his documentation for djbdns about this. I get the impression that other (all? most? older?) name servers can be poisoned because they will accept non-authoratative answers as gospel.
For instance
That seems so common sense to me that I do not quite understand DJB's complaint, yet apparently there are servers which will cache other addresses for which they are not authoratative. If I ask, say, plugh.com who is www.yahoo.com, and it has recently looked that up, it will pass it along to me as if it really really knew. djbdns will not, it will instead tell me to look it up properly.
How plugh.com gets bogus info for www.yahoo.com to start with is another question that I do not have any understanding of.
At least I think that is some of the flavor of cache poisoning.
Infuriate left and right
Why doesn't someone just 0wn the haxors who do this? Why is no one talking about justice being done?
Could it be that all you geeks find this rather exciting what with the "storm warning" (wtf) and "poisoning". ffs.
The whole point of Internet Protocol is to facilitate in the sharing of data. Even if you start your own private network you will most likely still use IP.
I used to be foolish and think like you, but no matter what the physical layer is, it still makes sense to have an IP stack and run Internet Protocol. And even if you have a different protocol, say ATM or some other, you use MPLS, and that translates between any two generic protocols and it all translates to TCP/IP.
You can't get away from it unless you want to redesign the way that networks behave. And if you do that why would anyone want it when the Internet already works. Whatever problems we have with BIND will be legion in your propriatory system. As buggy as some people make their versions of BIND, or whatever other piece of the Internet Toolset, their are other vendors or suppliers (often Open Source) who create code that doesn't have those problems.
Try the private network thing if you want, but it will cost you a lot. Why do this?
When will the world learn to stop using BIND?
11*43+456^2
Often, its not an option to use something else. The shop I use to work for used BIND for the same reason many shops still use sendmail. It's a common denominator. It's not the best, it's not the worst, but it's definitely in use and alot of admins know it (to some degree).
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
I really think the right thing to do at this point is to set up BIND 9 to completely ignore anything coming from a Windows DNS implementation. That will leave only Windows users stuck with the problem.
... I had to call my ISP to get new Primary and Secondary DNS settings. The old settings worked fine for 7 years straight and then mysteriously crapped out a few days ago.
Previous /. THREAD
Djbdns site with a ton of good information
I like it.
bo
bad_outlook
--
Is this vague enough for you?
It was like being on a ten lane freeway all by myself - everything was fast!
Only question now is does Comcast fire their CTO who recommended using Windows-based servers or do we get to see a repeat meltdown somewhere down the road?
i have a quarter million UID and i got one this morning, i bet it's tied to metamod somehow
DNS Poisoning is possible because of the way some DNS servers work.
When you want to lookup a site, you send a request to your DNS server, which then does the lookup and returns the results to you.
Say you need to know the address to www.yahoo.com. You ask the DNS server for it. It doesn't know, so it looks at what it does know. In the simplest case, it knows the address of the DNS server for *.com, so it asks him. He replies that he doesn't know either, but that he knows *.yahoo.com's DNS records are stored at x.x.x.x. So your DNS server goes and asks x.x.x.x. He does know where www.yahoo.com is, tells your DNS server, who then sends you back the address.
Typically, a DNS Server is running for a lot of users at once, so it improves speed by caching the results of these queries. So if you asked for www.yahoo.com again, your DNS server looks in the cache, finds that www.yahoo.com is in there, and gives you the answer right away. No need to look it up, time saved all around.
DNS Cache Poisoning is where an attacker tricks a DNS Server into caching incorrect information. This can happen by having a rogue server setup somewhere. So say the nameserver for www.badguy.com has records that say his name is also www.yahoo.com. When you lookup www.badguy.com, and get to that point, badguy.com says "hey, this is my address, and here's some other names that I'm known by: www.yahoo.com". Your DNS Server then stores all that info in his cache. Later you lookup www.yahoo.com and get back the address for www.badguy.com instead.
That's a slightly oversimplified way to explain it, but that's the gist of it. Somebody can trick your DNS server into giving back bad info. This is a critical security issue, because say they poison your cache and fool you into connecting to their server instead of, say, your bank's. They then give you a web page that looks just like your bank's does, you login as normal, and suddenly they have all your cash.
Many DNS servers are immune to this. How is simple: They don't cache stuff when badguy.com says he's also yahoo.com. They always go ask who yahoo.com is and only cache that more trustworthy answer.
However, the DNS system is setup as a hierarchy. Your DNS Server may not talk to root servers all the time, he might route all his queries through another, bigger DNS server. One of the bugs discovered here is that even if your DNS server is not vulnerable, the one just upstream of it might be, and that can propagate down to yours.
So there you go.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Pretty good explanation. I'm a programmer (who's forced to do networking) and have just enough knowledge on DNS to see exactly how that could happen.
:-) and thanks, it looked odd while typing ...
Infuriate left and right
Isn't that one of those things they do to help choking people? The hemlock remover? Anyway, that stuff tastes great! Drink up...
bind8 and bind64 are inappropriate in these matters. A simple netbstat -4/k! command in the subprocessing warp chambers will act as a perfect anti-binder, correct? To hell with DNS poison! Damn the photon torpedoes!
See, I don't even see why poison spreads. Yes, if aohell.com were dumb enough to ask lameproducts.com if it knows who shopping.yahoo.com is, then I can see the poison spreading, but there are two related unanswered questions ... what would it take to get aohell.com to ask lameproducts.com who shopping.yahoo.com is, and why would aohell.com even trust some unrelated site in the first place so that it could be tricked into asking?
.... maybe back in the old slow days, it was a speedup, to save all the time involved for new separate connections for each lookup.
But maybe that's why Windows and old BIND sites are susceptible. Maybe it ws some optimization, like thinking, hey, I've got ten more sites to look up, I'll ask this unknown DNS server just on the off chance
Infuriate left and right
This might sound like a stupid question, but I just spent the last few evenings fighting with DNS resolution problems on my home LAN, only to finally resolve it (at least for now) by a hard reboot of my Hotbrick LB-2 load-balancing router/firewall.
I have both a Charter cable modem and SBC DSL coming into my house, and the Hotbrick load-balances both connections and shares them to my PCs.
I started encountering an odd problem the other night where it seemed like after I initiated a file download, subsequent DNS requests (web pages, checking email, etc.) would just time out and fail. It was a bit erratic, but all my configuration settings appeared correct. (My Mac and PCs just use 192.168.0.1 as their DNS entries, since that gets them to the Hotbrick, which actually does the DNS resolution.)
Until now, I've had the Hotbrick running flawlessly for months on end, so the need to reboot it now puzzled me. This article made me wonder.
Time to stop the DJB fanboy FUD.
BIND 9 is a complete rewrite of BIND. It has none of the security issues that older versions of BIND has. In particular, the best security attack against BIND 9 results in a denial-of-service; any such DOS attacks have been patched by the ISC.
BIND 9 also has a number of security features DjbDNS doesn't have. Starting with DNSSEC. Also, it has full support for DNS-over-TCP, which stops a certain attack that DjbDNS is not capable of stopping.
Stop listening to the DJB fanboy FUD and start paying attention to the facts. If you don't mind the fairly large footprint BIND 9 has, it is a completely free, secure, and excellent solution to your DNS needs. If BIND 9 is too big for you, there are other DNS solutions that are lightweight and aren't DjbDNS.
One fact DJB fanboys won't tell you is that DJBware is not free software.
From what I understand, in the future, the EPCglobal system (which is being positioned as the replacment for UPC/EAN barcodes) will use DNS as the core technology behind their ONS (Object Name Service) system. So, if a store sees a new EPCglobal RFID tag and wants to know what it is, it can simply execute a DNS query to find out. I'll admit that I haven't looked very closely at the proposed architecture, but this seems like a recipe for disaster when combined with DNS poisoning, especially if automated checkout systems are used that read the EPCglobal tag on every item. I could imagine someone poisoning a store's DNS server, changing product information, such as the price, and causing all sorts of havok.
RTFA you nit.
The advisory states that this issue has already been fixed in Windows from Windows 2000 Service Pack 3, which was released 3 years ago. Windows 2003 has always been secure to this attack, and Windows NT is securable through a registry key.
You can just change your DNS server information in Windows easily to 4.2.2.1. I didn't do it on my Linux box, so I don't know how easy it is to change on there. That's what I did last night when Comcast shit out and my problems went away. I must have been the only person in town able to get online, heh.
He ducks! He dodges! He backpedals!
Dunno how many complaints there were, but I don't recall any great hue-and-cry. Do you? Can you link it? Don't forget, pre-Win2k/SP3 versions were securable with a single setting, as I said before.
Not much clue is required to prevent this problem. If you had read the article (or thought for a moment), you'd see it:
1) Check for defined forwarders on your DNS servers. Got none? Good, you're done.
2) For each defined forwarder you have, speak to whoever admins that server. Make sure they aren't using forwarders, and aren't poisonable. If you can't verify this, change to forwarders that meet these criteria, or stop using forwarders and start doing your own resolving.
You're also wrong about BIND. BIND 4/8 aren't vulnerable to DNS cache poisoning. They correctly ignore attempts to poison their caches. Unfortunately, they don't bother to scrub the poison when they pass that information on to servers that forward to them.
From what you said about checking with AT&T, I suspect that's a typo, but if it's not, check this:
Google
The SecurityFocus article is especially good. Anyway yes, BIND4/8 are directly vulnerable to poisoning. Some later versions of BIND8 are fixed, but really, BIND9 is the way to go (imho).