DNS Cache Poisoning Update

dhammabum writes "Todays SANS internet storm handler has put up an excellent update of the DNS poisoning vulnerability currently doing the rounds. The main points are that only Windows DNS servers are vulnerable (degrees of vulnerability depending on patch level), provided you are not running an ancient version of bind. Also bind4 and bind8 do not clean poisoned caches if they receive them from a poisoned Windows DNS server but bind9 does."

Re:Informative Links:

[ThosLives]

This is great at explaining what this is, but why could this happen?

Is this a poor implementation of the DNS spec, or is the DNS spec itself to blame for allowing such "poisoning" to occur?

In my experience, software issues occur for one of two reasons:

1. "Broken" code: The code doesn't do what you think it should- for instance, a function is supposed to return the sum of two numbers but it returns the difference. These errors are actually not that common in my experience (probably because it is easy to test against).
2. Bad communication / misuse of code: there's a function that is designed to add two numbers, but you think it returns the difference, and you use the results incorrectly. Also included in this category are the "The software does X, but we really wanted it to do Y even though we told you something else," and "We changed the interface with that, but [didn't tell anyone] or [you didn't read the documentation]" type of errors, as well as poor specification processes: for instance, a spec that says "write a function that averages numbers" but doesn't tell how to handle overflows is a "communications" bug in that information is left out. These are the nasty errors, because it is not feasible to reliably test that "people are communicating properly." Note: I'd also include "malicious misuse of code" in this section, becuase it's basically people lying about what the software does.

Re:Informative Links:

[bigberk]

Unfortunately djbdns is a bit awkward to install because of djb's insistence on the daemontools manager. There's nothing wrong with it, but the technique for installation is a bit awkward and certainly unlike other Unix-based server software.

Re:Informative Links:

[nothings]

Reposting from the previous slashdot thread, responding to a djbdns user; note specifically that djb admits the forgery resistance is "quantitative, not qualitative".

While I don't think I'm in the clear because of this, I feel better protected from the (unwashed ;)) internet.

That seems fairly reasonable. I don't think you're really protected from poisoning, unless "poisoning" only applies to certain kinds of DNS spoofing. Specifically, first note the exceptions to the djbdns security guarantee (emphasis mine):

• Bugs outside of djbdns, such as OS bugs or browser bugs. (People could seize control of BIND 9.1 through an OpenSSL buffer overflow, but that was a bug in OpenSSL, not in BIND.)
• The vulnerability of DNS to forgery. (BIND's port reuse makes blind forgery much less expensive, but this is a quantitative difference, not a qualitative difference. The DNS architecture needs cryptographic protection.)
• Denial-of-service attacks. (BIND 9's fragility makes denial of service completely trivial; but an attacker can easily take down the Domain Name System without using any of BIND's bugs. The DNS architecture needs to be decentralized.)

Specifically, his forgery page points out that a spoofing attack based on the birthday paradox can still work... although probably tens of millions of packets are required. This page, which I think I got off slashdot before, uses the TCP sequence-number guessing tools to try to attack it. It's probably not quite as secure as djb estimates, but probably still in the millions. They don't seem to have actually run numbers for the randomized-port plus randomized-id, so it's unclear whether they actually attacked that thoroughly.

Comcast DNS issues coincidence?

[spoonyfork]

Could it be coincidence that Comcast is currently experiencing DNS issues? Probably.. but it makes me wonder.

Re:Comcast, last night all DNS servers down

[stratjakt]

I'm a comcast customer, and fucked with my linux router for about an hour last night trying to figure out what the blue hell was going on.

It has a habit of just shitting out every time my dhcp lease expires, rather than refreshing it and moving on with life, so I figured that was it, or perhaps dnsmasq (which I use to proxy for my lan) got fubared.

Eventually I just plugged my cablemodem into a windows box, since they "just work" without fighting a bunch of resolv.conf or /etc/conf.d crap, and it had the same problem.

At that point I realized it was their DNS servers, since I could ping them, but they wouldn't resolve queries, and I just waited it out.

Interesting. Do you know for a fact that it was because of this poisoning stuff, and not because the new guy tripped over the cords?

They could have had their dhcp servers send out, at least temporarily, a good upstream DNS server, rather than piss off umpteen billion customers.

Re:Informative Links:

[Just+Some+Guy]

Well, Gentoo is pretty easy to install if you know the right commands. In either case, though, the instructions are completely opaque to anyone who doesn't already know that system inside and out.

built-djbdns? Oh, that's right - it's not Free Software so Debian can't package it.

Something about configuring DNS. Maybe to run as "nobody", I presume. I guess we're setting up a cache directory in /etc? Something or another about localhost.

/var/what?

I'm not trying to slag on you, but those aren't exactly the most transparent instructions I've seen.

TCP/IP

The whole point of Internet Protocol is to facilitate in the sharing of data. Even if you start your own private network you will most likely still use IP.

I used to be foolish and think like you, but no matter what the physical layer is, it still makes sense to have an IP stack and run Internet Protocol. And even if you have a different protocol, say ATM or some other, you use MPLS, and that translates between any two generic protocols and it all translates to TCP/IP.
You can't get away from it unless you want to redesign the way that networks behave. And if you do that why would anyone want it when the Internet already works. Whatever problems we have with BIND will be legion in your propriatory system. As buggy as some people make their versions of BIND, or whatever other piece of the Internet Toolset, their are other vendors or suppliers (often Open Source) who create code that doesn't have those problems.

Try the private network thing if you want, but it will cost you a lot. Why do this?

Re:Y'know, people keep telling me

> XP has some awefully cool icons

Yes, but I don't recognise them because they are not the same as previous versions.

Windows was 'easy to use' originally, once it had been learnt, because pictures can be recognised rather than 'understood'. A simple scan of the screen and my brain would trigger when the eyes saw what I wanted.

With XP MS completely stuffed that up. They changed all the icons and the way that, say, control panel worked so as to make it 'cool'. But they made it _useless_ for me, and a retraining cost for users of previous versions. I look at an XP screen and it means nothing.

Re:Comcast, last night all DNS servers down

[J.+Random+Luser]

There is no such thing as a "good upstream DNS server".
True, but some are more "reliable" than others.

If you want to resolve queries you need to run a DNS cache, use your ISP's, ...
First part, yes. Second part, don't rely on your ISP alone, specially if he's giving you a DNS address via DHCP. At the first sign of shit, hardwire a more reliable one.