Slashdot Mirror

← Back to Stories (view on slashdot.org)

DNS Cache Poisoning Update

Posted by Zonk on from the trustno1 dept.

dhammabum writes "Todays SANS internet storm handler has put up an excellent update of the DNS poisoning vulnerability currently doing the rounds. The main points are that only Windows DNS servers are vulnerable (degrees of vulnerability depending on patch level), provided you are not running an ancient version of bind. Also bind4 and bind8 do not clean poisoned caches if they receive them from a poisoned Windows DNS server but bind9 does."

46 of 199 comments (clear)

  1. Informative Links: by TripMaster+Monkey · · Score: 5, Informative


    In the interest of promoting discussion, there is a good definition of DNS poisoning here, and a longer explanation/rant regarding DNS poisoning here.

    --
    ____

    ~ |rip/\/\aster /\/\onkey

    1. Re:Informative Links: by TripMaster+Monkey · · Score: 4, Informative

      Hmm...the # sign in the second link doesn't seem to work...sorry...try this link instead.

      --
      ____

      ~ |rip/\/\aster /\/\onkey

    2. Re:Informative Links: by Anonymous Coward · · Score: 2, Informative

      Yes, what DJB is actually pointing out there are *bugs* in most DNS implementations, that do not exist in his djbdns package.

      djbdns is, and always has been, immune to cache poisoning.

      It is also simpler, much easier to use and maintain, and so much more reliable than BIND or Windows DNS. It also has never had a buffer overflow or other security problem.

      If you're running another DNS package, and *especially* BIND, go to the nearest mirror and ask yourself "Why am I putting my users at risk? Why am I using badly-written software voluntarily?"

      My DNS server, which I set up a while back with FreeBSD and djbdns, has never been rebooted, patched, or upgraded. It has never had a problem, and in fact dnscache has never even been *restarted* except once to increase the size of the cache. (And note that when you tell dnscache to use N bytes, that's exactly what it uses).

      If you're a DNS admin, don't waste your time with bugs from the 1990's. Install djbdns and get on with life.

    3. Re:Informative Links: by ThosLives · · Score: 2, Interesting
      This is great at explaining what this is, but why could this happen?

      Is this a poor implementation of the DNS spec, or is the DNS spec itself to blame for allowing such "poisoning" to occur?

      In my experience, software issues occur for one of two reasons:

      1. "Broken" code: The code doesn't do what you think it should- for instance, a function is supposed to return the sum of two numbers but it returns the difference. These errors are actually not that common in my experience (probably because it is easy to test against).
      2. Bad communication / misuse of code: there's a function that is designed to add two numbers, but you think it returns the difference, and you use the results incorrectly. Also included in this category are the "The software does X, but we really wanted it to do Y even though we told you something else," and "We changed the interface with that, but [didn't tell anyone] or [you didn't read the documentation]" type of errors, as well as poor specification processes: for instance, a spec that says "write a function that averages numbers" but doesn't tell how to handle overflows is a "communications" bug in that information is left out. These are the nasty errors, because it is not feasible to reliably test that "people are communicating properly." Note: I'd also include "malicious misuse of code" in this section, becuase it's basically people lying about what the software does.
      --
      "There are a dozen opinions on a matter until you know the truth. Then there is only one." - CS Lewis (paraprhase)
    4. Re:Informative Links: by foobsr · · Score: 2, Informative

      The second link already seems to show white, so not exactly a replacement but perhaps an addendum.

      CC.

      --
      TaijiQuan (Huang, 5 loosenings)
    5. Re:Informative Links: by tedgyz · · Score: 3, Informative

      Thanks for the info, but, to coin a phrase, "Where's the beef?" I went to the wiki page hoping to get a clearer understanding, but was left feeling like I had just read a Microsoft help page.

      To sum up...

      DNS Cache Poisoning: DNS Cache Poisoning is the process by which a DNS Server's cache is poisoned.

      I'm not trying to flame. Are there more in depth explanations? Don't worry, I'm not planning on writing a DNS poison worm. :-)

      --
      "No matter where you go, there you are." -- Buckaroo Banzai
    6. Re:Informative Links: by bigberk · · Score: 3, Interesting

      Unfortunately djbdns is a bit awkward to install because of djb's insistence on the daemontools manager. There's nothing wrong with it, but the technique for installation is a bit awkward and certainly unlike other Unix-based server software.

    7. Re:Informative Links: by nothings · · Score: 3, Interesting
      Reposting from the previous slashdot thread, responding to a djbdns user; note specifically that djb admits the forgery resistance is "quantitative, not qualitative".

      While I don't think I'm in the clear because of this, I feel better protected from the (unwashed ;)) internet.

      That seems fairly reasonable. I don't think you're really protected from poisoning, unless "poisoning" only applies to certain kinds of DNS spoofing. Specifically, first note the exceptions to the djbdns security guarantee (emphasis mine):

      • Bugs outside of djbdns, such as OS bugs or browser bugs. (People could seize control of BIND 9.1 through an OpenSSL buffer overflow, but that was a bug in OpenSSL, not in BIND.)
      • The vulnerability of DNS to forgery. (BIND's port reuse makes blind forgery much less expensive, but this is a quantitative difference, not a qualitative difference. The DNS architecture needs cryptographic protection.)
      • Denial-of-service attacks. (BIND 9's fragility makes denial of service completely trivial; but an attacker can easily take down the Domain Name System without using any of BIND's bugs. The DNS architecture needs to be decentralized.)

      Specifically, his forgery page points out that a spoofing attack based on the birthday paradox can still work... although probably tens of millions of packets are required. This page, which I think I got off slashdot before, uses the TCP sequence-number guessing tools to try to attack it. It's probably not quite as secure as djb estimates, but probably still in the millions. They don't seem to have actually run numbers for the randomized-port plus randomized-id, so it's unclear whether they actually attacked that thoroughly.

    8. Re:Informative Links: by ldspartan · · Score: 5, Informative

      apt-get install runit djbdns-installer
      build-djbdns
      dnscache-conf-fhs nobody nobody /etc/dnscache 127.0.0.1
      ln -s /etc/dnscache /var/service/

      Granted, not super-simple, but certainly not hard.

    9. Re:Informative Links: by carpe_noctem · · Score: 5, Informative

      DJB is going to turn into the next RMS if he doesn't stop spouting at the mouth with how inferior all of his competitor's software is. Even his documentation is arrogant, for chrissakes.

      And I'm sorry, but bind9 isn't that complicated. I found djbdns to be much clunkier and difficult to set up. Like all of DJB's software, it relies on retarded configuration files and bizarre notation.

      Don't get me wrong here; I'm a qmail admin myself and I love it, but I dislike it when people talk about his software like it was written by Moses and God and given to mankind for all of eternity. It may be pretty stable and secure, but it lacks common usability and many features of other, traditional DNS software.

      --
      "Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
    10. Re:Informative Links: by Just+Some+Guy · · Score: 4, Insightful
      First, djbdns isn't Free Software, which means that a lot of us won't touch it with a ten-foot pole. See the recent BitKeeper debacle for reasons why that's the pragmatic rationale and not just an ideological decision.

      so much more reliable than BIND

      I have never, not once, ever had BIND fail. I doubt I'm the best DNS admin anywhere, so I imagine it works well for a lot of other people as well.

      Why am I putting my users at risk?

      Because my secondary DNS servers, provided by my registrar, are out of my control. I can't install rsync on them to support the functionality that Dan left out of djbdns.

      If you're a DNS admin, don't waste your time with bugs from the 1990's.

      I'll agree with that. Upgrade to the most recent version of BIND and get on with life. OpenBSD's support of that policy is a pretty strong endorsement.

      --
      Dewey, what part of this looks like authorities should be involved?
    11. Re:Informative Links: by Just+Some+Guy · · Score: 2, Interesting
      Well, Gentoo is pretty easy to install if you know the right commands. In either case, though, the instructions are completely opaque to anyone who doesn't already know that system inside and out.

      built-djbdns? Oh, that's right - it's not Free Software so Debian can't package it.

      Something about configuring DNS. Maybe to run as "nobody", I presume. I guess we're setting up a cache directory in /etc? Something or another about localhost.

      /var/what?

      I'm not trying to slag on you, but those aren't exactly the most transparent instructions I've seen.

      --
      Dewey, what part of this looks like authorities should be involved?
    12. Re:Informative Links: by Electrum · · Score: 2, Insightful

      First, djbdns isn't Free Software, which means that a lot of us won't touch it with a ten-foot pole. See the recent BitKeeper debacle for reasons why that's the pragmatic rationale and not just an ideological decision.

      There is a HUGE difference between BitKeeper and DJB's copyrighted software. DJB's software is distributed as source code without any "license". This means that you will always have the option of using, modifying and distributing patches for any released version. He can't suddenly take the software away from you.

      I can't install rsync on them to support the functionality that Dan left out of djbdns.

      djbdns includes an AXFR server.

    13. Re:Informative Links: by Anonymous Coward · · Score: 2, Informative

      If that DJB bloke weren't so damn arrogant, many admins would have much less of a problem with using his software.

    14. Re:Informative Links: by Just+Some+Guy · · Score: 3, Informative
      DJB's software is distributed as source code without any "license".

      Which also means that you can't distribute anything but patches even if you wanted to. Forget about making it part of an OS base distribution, or using any his the proclaimed "better" code to improve any other projects. Basically, it's a proprietary product that happens to ship with source.

      Put another way, I could theoretically provide instructions for replacing Windows' HTML renderer with Gecko, but that doesn't mean that it's a Free (or even Open Source) system.

      I understand your point, truly, but I just don't agree with it.

      djbdns includes an AXFR server.

      That doesn't do much for those who need IXFR.

      --
      Dewey, what part of this looks like authorities should be involved?
    15. Re:Informative Links: by ThosLives · · Score: 2, Informative
      I'm not that familiar with how DNS works (other than, "hey DNS server, give me the address for xyz.com" and it spits back either an address or "I've never heard of that"), but it appears you're saying that if I try to get an IP address for "foo.com" some DNS server will tell me I really wanted "google.com"? I don't understand how that's possible.

      Or, do you mean that I send on some information like "I want foo.com and I once got it at 1.2.3.4 - is this right?" and the DNS responds with "well, I think 1.2.3.4 belongs to google.com and foo.com is at 10.9.8.7"? At that point, the way I see it, it becomes really difficult to tell what name goes with what address without some physical mechanism. And that, of course, is the whole issue of "remote security".

      --
      "There are a dozen opinions on a matter until you know the truth. Then there is only one." - CS Lewis (paraprhase)
    16. Re:Informative Links: by cmacb · · Score: 5, Insightful

      In my experience, software issues occur for one of two reasons:
      (1) "Broken" code:.....

      (2) Bad communication / misuse of code:....

      You left one out:

      (0) Bad Design: The code does everything you intended it to do and the users are using it properly, but you didn't think of all the possible states in which the code could find itself and decide what to do about them.

      This is often lumped in with (1), but shouldn't be IMHO. It's one reason I think that comments in code are valuable (as are formal design documents) since it forces the person, or people doing the design and coding to restate their intentions in at least a couple of different ways.

      I have written and worked with well written specs and they tend to reduce the number of pure coding errors by leaving less to the imagination of the coder. Well written specs can still fail to account for all possibilities however and that's a good reason to have meaningful design discussions (rather than the formally mandated ones that people attend these days in body but not mind).

      There are many people today who think of themselves as ace coders. The world would do well to have more people who are design experts who don't practice coding at all. The two disciplines complement one another well.

    17. Re:Informative Links: by Just+Some+Guy · · Score: 3, Insightful
      I am curious why it is you need IXFR. What kind of network do you have the is unable to send or receive entire zones via AXFR?

      Two words: dynamic DNS.

      There are a lot of little single-entry updates to some of our zones, and IXFR transmits only the changed entries to the slaves.

      How come your zone files are so big, and how come you network is too slow to transfer entire zone files?

      Reverse that: even though our zone files aren't terribly big, why would we want to transfer the whole thing each time? It's the difference between sending a patch file instead source tarball for every update. Isn't efficiency supposed to be a good thing, even when it's not absolutely necessary?

      --
      Dewey, what part of this looks like authorities should be involved?
    18. Re:Informative Links: by mlyle · · Score: 2, Informative

      He's talking about a CNAME; a CNAME is like a symbolic link for DNS. That is, if you try and look up www.foo.com, it can contain a CNAME saying that www.foo.com is an alias for www.google.com. This can be really nice, because if you have many services running on one server, you can CNAME (e.g. you could have one big host, bigserver, and CNAME www.whatever.com for multiple domains to bigserver; if bigserver's address gets changed, you only need to modify one zone file).

      If a DNS server returns a CNAME record, it's supposed to return an address record for the destination server if it can; e.g. it says

      www.foo.com. IN CNAME www.google.com.
      www.google.com. IN A 64.233.187.99

      Bad things happen if the server that hosts DNS for foo.com is malicious and returns an invalid address for www.google.com; because naïve DNS implementations would then trust foo.com's address for google.com.

    19. Re:Informative Links: by greed · · Score: 2, Insightful

      To give the explanation of DNS poisoning in a slightly different way (based on what I know of BIND, DNS and from the SANS pages from earlier)....

      I'll assume everyone's up on how a cache works. DNS poisoning is possible on DNS caches which aren't suitably paranoid about how data gets into the cache.

      Basically, a server that is trying to poison a cache sends additional records with its answer, and those records are unrelated to the question.

      So, you ask "What is the address of bogusserver.badguy.com?". In the answer you get back, it says something like this:

      bogusserver.badguy.com. IN A 192.168.12.12
      com. IN NS 192.168.12.12

      (For those that don't know, a DNS name ending with '.' is considered an absolute name; the "root" of the DNS is noted with a single '.'.)

      That answer above gives the host address of bogusserver.badguy.com (the "A" record) and a nameserver address for all of "com" (the "NS" record). (These examples are IPv4 only, that's effectively what the "IN" means.)

      So, a poison-resistant DNS will reject all the parts of the answer that do not match the question. "What, com.? I asked about bogusserver.badguy.com.! Forget this bit about com.!"

      One that is susceptible to poisoning will accept the updated record for "com." also, and enter it into the cache. Since it didn't need to know about the nameserver for com., the only part that matters is that it is caching the wrong nameserver address. Now, anyone who asks that DNS cache for the name server address for ALL of "com." gets the address injected by the nameserver for bogusserver.badguy.com. At that point, that nameserver can tell your client whatever it wants. All future lookups for "com.", until the cache expires (usually 2-7 days), will use the malicious server.

      Some servers make this worse by invalidating all entries for a domain when the nameserver entry is updated for that domain--forcing a query of the malicious server for sites that are used often (and hence are in the cache).

      This attack DOES require that someone requests a name that will trigger a query of a malicious nameserver. This is pretty easy, though; send mail that will bounce with an envelope-from address in the malicious domain.

  2. Same article, 2010. by Silverlancer · · Score: 5, Funny

    The InfoCon is currently set at psychadelic purple-green in response to the realization that Windows is still insecure, even now that Longhorn has been out for nearly 3 years, and has reached service pack 23. We originally went to psychadelic purple-green because we were uncertain of the mechanisms that allowed seemingly "secure" systems to be vulnerable to this issue. Now, however, we know of the mechanisms--Microsoft still makes shitty products, and Windows is still buggy and vulnerable.

    In other news, water is wet.

    1. Re:Same article, 2010. by Silverlancer · · Score: 2, Funny

      more like sp1 m i rite?

      Holy shit, I think my head just exploded.

  3. Update on the Update by Hulkster · · Score: 5, Informative
    That SAN's report actually came out yesterday, the 7th, probably when the article was submitted ... and ISC uses UTC time for their postings. There's an update the next day (today as I write this) where ISC returns the status to Green because they understand the DNS Poisoning problem and have recommendations for people to protect themselves - although it's still an issue.

    Ironically, that same update describes Comcast's nationwide problems that started last night (US Time) and says it was caused by an equipment upgrade and not related to the DNS Cache poisoning. BUT, the problem was not network connectivity, but the DHCP's DNS Servers became unavailable. Read more at DSLReports and (from first hand experience), the work-around was fairly easy which was to manually specify the DNS server, rather than use the DHCP'd one. Comcast says it was resolved about two hours ago - scroll down to the bottom of the page.

  4. dnsmasq is vulnerable too by Ktistec+Machine · · Score: 4, Informative

    ...at least, according to this link from the lwn.net security page.

  5. Y'know, people keep telling me by Anonymous Coward · · Score: 5, Insightful

    "If you don't like windows don't use it"

    Or then telling me, when they find out I don't use it, that I've somehow forfeited the right to complain about it anymore; or trying to hold Microsoft blameless for their security holes because the people who run Microsoft software do so by "choice" so its the users own fault, and they are just hurting themselves.

    But then I keep finding that despite not using Microsoft software, I get negatively impacted by it anyway. Because the Code Red slaves on the network are bombarding me with a constant light DOS looking for that index server or whatever. Because I get bombarded with email viruses and spam from zombie PCs which, while harmless to me, make my email account less useful. Because my DNS server is running Windows.

    Lovely.

    So, look at this. I am being materially negatively impacted by a company whose products I don't even buy. How, exactly, is the invisible hand of the market going to help with this?

    1. Re:Y'know, people keep telling me by djmurdoch · · Score: 2, Insightful

      So, look at this. I am being materially negatively impacted by a company whose products I don't even buy. How, exactly, is the invisible hand of the market going to help with this?

      You need to use a visible hand to get the invisible hand to work. Put together and win a class action suit, cost them lots of money. Then the price of Windows will go up, and fewer people will use it.

    2. Re:Y'know, people keep telling me by MSFanBoi · · Score: 3, Insightful

      Did you bother to read the SANS report? Windows 2000 Sp3+ and Windows Server 2003 DNS servers are NOT affected by this attack. YOu ain't running a 4 year old version of Linux, Unix or MacOS X are you?

    3. Re:Y'know, people keep telling me by pinkfalcon · · Score: 2, Funny


      Actually I am:

      - Uptime for myrouter.home.ericzeller.com -
      Now : 91 day(s), 13:18:11 running Linux 2.2.19pre13
      One : 413 day(s), 06:14:44 running Linux 2.2.19pre13, ended Wed Jan 5 21:32:40 2005
      Two : 377 day(s), 00:26:56 running Linux 2.2.19pre13, ended Sat Dec 14 13:26:46 2002
      Three: 117 day(s), 04:39:46 running Linux 2.2.19pre13, ended Thu Oct 2 17:42:38 2003

      --
      Real SUV's don't have cupholders
      It's 5:42 A.M., do you know where your stack pointer is?
    4. Re:Y'know, people keep telling me by wren337 · · Score: 3, Insightful


      The invisible hand of the market has never been any good at managing companies who damage their environment, wether it be pollution, overfishing, or zombie PCs spewing out packets. That's why we balance capitalism with rules and regulations.

  6. Last night... by bhsx · · Score: 4, Informative

    Last night I couldn't reach google, comcast.net (my GF's email[although I warn her everyday about relying on ISP-based email{lock-in and all that...}]), yahoo, and a number of other sites. Strangely, Happypenguin, slashdot and sourceforge all worked just fine. I figured it must have been dns issues and kind of assumed it was this poisonning that's been happenning. Needless to say, it was annoying as hell. Add to that; 800-comcast and 888-comcast were giving fast busy signals, so their call center was being DDOS'd by a swarm of angry customers.

    --
    put the what in the where?
  7. Comcast DNS issues coincidence? by spoonyfork · · Score: 2, Interesting

    Could it be coincidence that Comcast is currently experiencing DNS issues? Probably.. but it makes me wonder.

    --
    Speak truth to power.
  8. From the Internet storm-in-a-teacup dept... by Eyeball97 · · Score: 5, Informative

    From the article:

    "On Windows 2000 SP3 and above, the DNS server DOES protect against DNS cache pollution by default. The registry key to protect against the poisoning is not necessary: the value is TRUE if the registry key does not exist"

    In other words, many or most 2000 installations should be secure against pollution if their admins posess the slightest clue.

    "Windows DNS --> forwarding to BIND4 or BIND8. Windows DNS server assumes that BIND scrubs out the poisoning attempt. BIND4 and BIND8 do NOT appear to scrub the attack. Windows DNS trusts the data and the Windows DNS cache will become poisoned."

    So much for "only affects MS servers" although the article does mention, and plays down ("ancient versions") the bind4/8 vulnerabilities.
    I'm left wondering how many admins have their dns servers in forwarding mode, and how many of those are forwarding to bind4/8 servers? Very few, I'd think.

    It's important to note, from what I've understood of it so far, that this exploit only affects the "MS server forwarding it's requests to a bind4/8 server" scenario which I would think, would be a pretty negligible number of DNS servers?!

    Another interesting thing that caught my eye, was "On Windows 2000, you should manage the DNS cache protection security setting through the DNS Management Console. On Windows 2000 below SP3, the "Secure cache against pollution" is not the default so you should enable it using the DNS Management Console.
    An admin who didn't already do this is dumb beyond belief, hardly a MS problem! Blaming it on MS is akin to blaming Ford if you forget to lock the door on your car. If you're a DNS admin and didn't think to check your configuration for this very old vulnerability it's time you hung up your admin hat!

    For the record, I'm no more a fan of Windows than I am of *nix - but how much you wanna bet this post'll raise 80% MS bashing comments, 10% "funny" comments, and maybe 10% useful DNS Admin comments?

    1. Re:From the Internet storm-in-a-teacup dept... by AK+Marc · · Score: 4, Insightful

      Blaming it on MS is akin to blaming Ford if you forget to lock the door on your car.

      Nah, It'd be like blaming Ford if they sold all cars without oil in them and had, on page 545 of the 2000 page manual, directions to add oil before use.

      Sure, they tell you and it is documented, but you shouldn't have the server install insecurely by default. The default should be secure, and then you need to enable the services you need. Less user friendly, more secure - that is why it isn't adopted by MS. They made a conscious decision to make it insecure (but easier to use). That is why MS bashing is justified.

      --
      Learn to love Alaska
    2. Re:From the Internet storm-in-a-teacup dept... by Anonymous Coward · · Score: 2, Informative

      "In other words, many or most 2000 installations should be secure against pollution if their admins posess the slightest clue."

      Actually, no clue needed. Win2k DNS server has since SP3 made this the default setting. Win2003 DNS server also makes this the default setting.

      So, zero action is required by Windows DNS admins, unless for some reason they are running Win2k pre-SP3, or NT4. Even with these older versions of the OS, a single setting change secures the box from DNS poisoning.

    3. Re:From the Internet storm-in-a-teacup dept... by Anonymous Coward · · Score: 2, Informative

      Except you are wrong. Go back and re-read the article.

      WRT DNS poisoning, Windows DNS servers have been secure by default since Windows 2000 SP3. The only vulnerability exists if they are getting already poisoned data from a vulnerable server (BIND4/8) used as a forwarder.

  9. DNS poisoning? by Nom+du+Keyboard · · Score: 2, Funny

    DNS poisoning?
    What DNS poisoning?
    Isn't this www.NerdsMeetingExcitingGirlsOnLine.org?

    --
    "It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
  10. Get off the network by jeffmeden · · Score: 3, Insightful

    If we were really dealing with an ideal 'invisible hand' at work, the smart, money-saving people would leave 'the' internet and start their own security-required network, which would quickly become the larger network and regain the distinction as 'the' internet, thereby forcing everyone on the 'old' internet to get secure in order to join up. But that doesn't happen, does it. Sadly, the invisible hand is only good at two things, truly open marketplaces, and giving you the finger.

  11. Mod Parent Up by Daedala · · Score: 4, Informative

    It's an externality. The invisible hand of the market isn't going to fix things for you

    --
    What I say does not represent the views of my employers, my friends, my cats, or myself.
  12. link with explanations by Anonymous Coward · · Score: 4, Informative

    Here is a good explanation at security focus

    http://www.securityfocus.com/guest/17905

  13. Additional Bind 9 security by Anonymous Coward · · Score: 3, Informative

    Even if you are already running Bind 9, you should consider reading Rob Thomas' Secure BIND Template for how to best configure bind.

  14. Re:Comcast, last night all DNS servers down by stratjakt · · Score: 3, Interesting

    I'm a comcast customer, and fucked with my linux router for about an hour last night trying to figure out what the blue hell was going on.

    It has a habit of just shitting out every time my dhcp lease expires, rather than refreshing it and moving on with life, so I figured that was it, or perhaps dnsmasq (which I use to proxy for my lan) got fubared.

    Eventually I just plugged my cablemodem into a windows box, since they "just work" without fighting a bunch of resolv.conf or /etc/conf.d crap, and it had the same problem.

    At that point I realized it was their DNS servers, since I could ping them, but they wouldn't resolve queries, and I just waited it out.

    Interesting. Do you know for a fact that it was because of this poisoning stuff, and not because the new guy tripped over the cords?

    They could have had their dhcp servers send out, at least temporarily, a good upstream DNS server, rather than piss off umpteen billion customers.

    --
    I don't need no instructions to know how to rock!!!!
  15. Re:Comcast, last night all DNS servers down by Electrum · · Score: 2

    They could have had their dhcp servers send out, at least temporarily, a good upstream DNS server, rather than piss off umpteen billion customers.

    There is no such thing as a "good upstream DNS server". There are authoritative DNS servers and there are DNS caches (also called resolvers). The root DNS servers are authoritative only. You cannot use them to resolve DNS queries.

    If you want to resolve queries you need to run a DNS cache, use your ISP's, or use one somewhere else that someone left open. Running a promiscuous DNS cache is a bad idea.

  16. Djbdns - immune to DNS cache poisoning by bad_outlook · · Score: 2, Informative
    Djdns deserves another mention. Here's the thread that came up a few days ago on the subject. I'm running it on FreeBSD now, and have learned allot through this discussion (that hasn't happened to me on /. for a long time either, so it was pretty cool.

    Previous /. THREAD

    Djbdns site with a ton of good information

    I like it.

    bo

    --
    bad_outlook
    --
    Is this vague enough for you?
  17. Simple explanation by Otto · · Score: 5, Informative

    DNS Poisoning is possible because of the way some DNS servers work.

    When you want to lookup a site, you send a request to your DNS server, which then does the lookup and returns the results to you.

    Say you need to know the address to www.yahoo.com. You ask the DNS server for it. It doesn't know, so it looks at what it does know. In the simplest case, it knows the address of the DNS server for *.com, so it asks him. He replies that he doesn't know either, but that he knows *.yahoo.com's DNS records are stored at x.x.x.x. So your DNS server goes and asks x.x.x.x. He does know where www.yahoo.com is, tells your DNS server, who then sends you back the address.

    Typically, a DNS Server is running for a lot of users at once, so it improves speed by caching the results of these queries. So if you asked for www.yahoo.com again, your DNS server looks in the cache, finds that www.yahoo.com is in there, and gives you the answer right away. No need to look it up, time saved all around.

    DNS Cache Poisoning is where an attacker tricks a DNS Server into caching incorrect information. This can happen by having a rogue server setup somewhere. So say the nameserver for www.badguy.com has records that say his name is also www.yahoo.com. When you lookup www.badguy.com, and get to that point, badguy.com says "hey, this is my address, and here's some other names that I'm known by: www.yahoo.com". Your DNS Server then stores all that info in his cache. Later you lookup www.yahoo.com and get back the address for www.badguy.com instead.

    That's a slightly oversimplified way to explain it, but that's the gist of it. Somebody can trick your DNS server into giving back bad info. This is a critical security issue, because say they poison your cache and fool you into connecting to their server instead of, say, your bank's. They then give you a web page that looks just like your bank's does, you login as normal, and suddenly they have all your cash.

    Many DNS servers are immune to this. How is simple: They don't cache stuff when badguy.com says he's also yahoo.com. They always go ask who yahoo.com is and only cache that more trustworthy answer.

    However, the DNS system is setup as a hierarchy. Your DNS Server may not talk to root servers all the time, he might route all his queries through another, bigger DNS server. One of the bugs discovered here is that even if your DNS server is not vulnerable, the one just upstream of it might be, and that can propagate down to yours.

    So there you go.

    --
    - Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
  18. Re:It's all very muddy by Vainglorious+Coward · · Score: 2, Informative

    what would it take to get aohell.com to ask lameproducts.com who shopping.yahoo.com is, and why would aohell.com even trust some unrelated site in the first place so that it could be tricked into asking?

    The client *doesn't* ask the lameproducts.com DNS server about shopping.yahoo.com, it asks about something in the lameproducts.com domain (typically, prompted by an image embedded in an HTML email). The lameproducts.com DNS server sends back the answer about the request for the system in the lameproducts.com domain, but it *also* tacks on some more information about other domains for which it is not authoritative. A sensible client would simply ignore this additional information since (a) it never asked for it and (b) the information is outside the responding DNS's bailiwick. Unfortunately, there's a number of DNS caches out there that do not take a sensible approach.

    --
    My next sig will be ready soon, but subscribers can beat the rush
  19. Re:Comcast, last night all DNS servers down by J.+Random+Luser · · Score: 2, Interesting

    There is no such thing as a "good upstream DNS server".
    True, but some are more "reliable" than others.

    If you want to resolve queries you need to run a DNS cache, use your ISP's, ...
    First part, yes. Second part, don't rely on your ISP alone, specially if he's giving you a DNS address via DHCP. At the first sign of shit, hardwire a more reliable one.