Slashdot Mirror
DNS Cache Poisoning Update
dhammabum writes "Todays SANS internet storm handler has put up an excellent update of the DNS poisoning vulnerability currently doing the rounds. The main points are that only Windows DNS servers are vulnerable (degrees of vulnerability depending on patch level), provided you are not running an ancient version of bind. Also bind4 and bind8 do not clean poisoned caches if they receive them from a poisoned Windows DNS server but bind9 does."
In the interest of promoting discussion, there is a good definition of DNS poisoning here, and a longer explanation/rant regarding DNS poisoning here.
____
~ |rip/\/\aster /\/\onkey
Ironically, that same update describes Comcast's nationwide problems that started last night (US Time) and says it was caused by an equipment upgrade and not related to the DNS Cache poisoning. BUT, the problem was not network connectivity, but the DHCP's DNS Servers became unavailable. Read more at DSLReports and (from first hand experience), the work-around was fairly easy which was to manually specify the DNS server, rather than use the DHCP'd one. Comcast says it was resolved about two hours ago - scroll down to the bottom of the page.
...at least, according to this link from the lwn.net security page.
Last night I couldn't reach google, comcast.net (my GF's email[although I warn her everyday about relying on ISP-based email{lock-in and all that...}]), yahoo, and a number of other sites. Strangely, Happypenguin, slashdot and sourceforge all worked just fine. I figured it must have been dns issues and kind of assumed it was this poisonning that's been happenning. Needless to say, it was annoying as hell. Add to that; 800-comcast and 888-comcast were giving fast busy signals, so their call center was being DDOS'd by a swarm of angry customers.
put the what in the where?
From the article:
"On Windows 2000 SP3 and above, the DNS server DOES protect against DNS cache pollution by default. The registry key to protect against the poisoning is not necessary: the value is TRUE if the registry key does not exist"
In other words, many or most 2000 installations should be secure against pollution if their admins posess the slightest clue.
"Windows DNS --> forwarding to BIND4 or BIND8. Windows DNS server assumes that BIND scrubs out the poisoning attempt. BIND4 and BIND8 do NOT appear to scrub the attack. Windows DNS trusts the data and the Windows DNS cache will become poisoned."
So much for "only affects MS servers" although the article does mention, and plays down ("ancient versions") the bind4/8 vulnerabilities.
I'm left wondering how many admins have their dns servers in forwarding mode, and how many of those are forwarding to bind4/8 servers? Very few, I'd think.
It's important to note, from what I've understood of it so far, that this exploit only affects the "MS server forwarding it's requests to a bind4/8 server" scenario which I would think, would be a pretty negligible number of DNS servers?!
Another interesting thing that caught my eye, was "On Windows 2000, you should manage the DNS cache protection security setting through the DNS Management Console. On Windows 2000 below SP3, the "Secure cache against pollution" is not the default so you should enable it using the DNS Management Console.
An admin who didn't already do this is dumb beyond belief, hardly a MS problem! Blaming it on MS is akin to blaming Ford if you forget to lock the door on your car. If you're a DNS admin and didn't think to check your configuration for this very old vulnerability it's time you hung up your admin hat!
For the record, I'm no more a fan of Windows than I am of *nix - but how much you wanna bet this post'll raise 80% MS bashing comments, 10% "funny" comments, and maybe 10% useful DNS Admin comments?
It's an externality. The invisible hand of the market isn't going to fix things for you
What I say does not represent the views of my employers, my friends, my cats, or myself.
Here is a good explanation at security focus
http://www.securityfocus.com/guest/17905
Even if you are already running Bind 9, you should consider reading Rob Thomas' Secure BIND Template for how to best configure bind.
Previous /. THREAD
Djbdns site with a ton of good information
I like it.
bo
bad_outlook
--
Is this vague enough for you?
DNS Poisoning is possible because of the way some DNS servers work.
When you want to lookup a site, you send a request to your DNS server, which then does the lookup and returns the results to you.
Say you need to know the address to www.yahoo.com. You ask the DNS server for it. It doesn't know, so it looks at what it does know. In the simplest case, it knows the address of the DNS server for *.com, so it asks him. He replies that he doesn't know either, but that he knows *.yahoo.com's DNS records are stored at x.x.x.x. So your DNS server goes and asks x.x.x.x. He does know where www.yahoo.com is, tells your DNS server, who then sends you back the address.
Typically, a DNS Server is running for a lot of users at once, so it improves speed by caching the results of these queries. So if you asked for www.yahoo.com again, your DNS server looks in the cache, finds that www.yahoo.com is in there, and gives you the answer right away. No need to look it up, time saved all around.
DNS Cache Poisoning is where an attacker tricks a DNS Server into caching incorrect information. This can happen by having a rogue server setup somewhere. So say the nameserver for www.badguy.com has records that say his name is also www.yahoo.com. When you lookup www.badguy.com, and get to that point, badguy.com says "hey, this is my address, and here's some other names that I'm known by: www.yahoo.com". Your DNS Server then stores all that info in his cache. Later you lookup www.yahoo.com and get back the address for www.badguy.com instead.
That's a slightly oversimplified way to explain it, but that's the gist of it. Somebody can trick your DNS server into giving back bad info. This is a critical security issue, because say they poison your cache and fool you into connecting to their server instead of, say, your bank's. They then give you a web page that looks just like your bank's does, you login as normal, and suddenly they have all your cash.
Many DNS servers are immune to this. How is simple: They don't cache stuff when badguy.com says he's also yahoo.com. They always go ask who yahoo.com is and only cache that more trustworthy answer.
However, the DNS system is setup as a hierarchy. Your DNS Server may not talk to root servers all the time, he might route all his queries through another, bigger DNS server. One of the bugs discovered here is that even if your DNS server is not vulnerable, the one just upstream of it might be, and that can propagate down to yours.
So there you go.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
what would it take to get aohell.com to ask lameproducts.com who shopping.yahoo.com is, and why would aohell.com even trust some unrelated site in the first place so that it could be tricked into asking?
The client *doesn't* ask the lameproducts.com DNS server about shopping.yahoo.com, it asks about something in the lameproducts.com domain (typically, prompted by an image embedded in an HTML email). The lameproducts.com DNS server sends back the answer about the request for the system in the lameproducts.com domain, but it *also* tacks on some more information about other domains for which it is not authoritative. A sensible client would simply ignore this additional information since (a) it never asked for it and (b) the information is outside the responding DNS's bailiwick. Unfortunately, there's a number of DNS caches out there that do not take a sensible approach.
My next sig will be ready soon, but subscribers can beat the rush