DNS Cache Poisoning Update
dhammabum writes "Todays SANS internet storm handler has put up an excellent update of the DNS poisoning vulnerability currently doing the rounds. The main points are that only Windows DNS servers are vulnerable (degrees of vulnerability depending on patch level), provided you are not running an ancient version of bind. Also bind4 and bind8 do not clean poisoned caches if they receive them from a poisoned Windows DNS server but bind9 does."
Unfortunately djbdns is a bit awkward to install because of djb's insistence on the daemontools manager. There's nothing wrong with it, but the technique for installation is a bit awkward and certainly unlike other Unix-based server software.
That seems fairly reasonable. I don't think you're really protected from poisoning, unless "poisoning" only applies to certain kinds of DNS spoofing. Specifically, first note the exceptions to the djbdns security guarantee (emphasis mine):
Specifically, his forgery page points out that a spoofing attack based on the birthday paradox can still work... although probably tens of millions of packets are required. This page, which I think I got off slashdot before, uses the TCP sequence-number guessing tools to try to attack it. It's probably not quite as secure as djb estimates, but probably still in the millions. They don't seem to have actually run numbers for the randomized-port plus randomized-id, so it's unclear whether they actually attacked that thoroughly.
I'm a comcast customer, and fucked with my linux router for about an hour last night trying to figure out what the blue hell was going on.
/etc/conf.d crap, and it had the same problem.
It has a habit of just shitting out every time my dhcp lease expires, rather than refreshing it and moving on with life, so I figured that was it, or perhaps dnsmasq (which I use to proxy for my lan) got fubared.
Eventually I just plugged my cablemodem into a windows box, since they "just work" without fighting a bunch of resolv.conf or
At that point I realized it was their DNS servers, since I could ping them, but they wouldn't resolve queries, and I just waited it out.
Interesting. Do you know for a fact that it was because of this poisoning stuff, and not because the new guy tripped over the cords?
They could have had their dhcp servers send out, at least temporarily, a good upstream DNS server, rather than piss off umpteen billion customers.
I don't need no instructions to know how to rock!!!!