Slashdot Mirror

← Back to Stories (view on slashdot.org)

DNS Cache Poisoning Update

Posted by Zonk on from the trustno1 dept.

dhammabum writes "Todays SANS internet storm handler has put up an excellent update of the DNS poisoning vulnerability currently doing the rounds. The main points are that only Windows DNS servers are vulnerable (degrees of vulnerability depending on patch level), provided you are not running an ancient version of bind. Also bind4 and bind8 do not clean poisoned caches if they receive them from a poisoned Windows DNS server but bind9 does."

26 of 199 comments (clear)

  1. Informative Links: by TripMaster+Monkey · · Score: 5, Informative


    In the interest of promoting discussion, there is a good definition of DNS poisoning here, and a longer explanation/rant regarding DNS poisoning here.

    --
    ____

    ~ |rip/\/\aster /\/\onkey

    1. Re:Informative Links: by TripMaster+Monkey · · Score: 4, Informative

      Hmm...the # sign in the second link doesn't seem to work...sorry...try this link instead.

      --
      ____

      ~ |rip/\/\aster /\/\onkey

    2. Re:Informative Links: by tedgyz · · Score: 3, Informative

      Thanks for the info, but, to coin a phrase, "Where's the beef?" I went to the wiki page hoping to get a clearer understanding, but was left feeling like I had just read a Microsoft help page.

      To sum up...

      DNS Cache Poisoning: DNS Cache Poisoning is the process by which a DNS Server's cache is poisoned.

      I'm not trying to flame. Are there more in depth explanations? Don't worry, I'm not planning on writing a DNS poison worm. :-)

      --
      "No matter where you go, there you are." -- Buckaroo Banzai
    3. Re:Informative Links: by bigberk · · Score: 3, Interesting

      Unfortunately djbdns is a bit awkward to install because of djb's insistence on the daemontools manager. There's nothing wrong with it, but the technique for installation is a bit awkward and certainly unlike other Unix-based server software.

    4. Re:Informative Links: by nothings · · Score: 3, Interesting
      Reposting from the previous slashdot thread, responding to a djbdns user; note specifically that djb admits the forgery resistance is "quantitative, not qualitative".

      While I don't think I'm in the clear because of this, I feel better protected from the (unwashed ;)) internet.

      That seems fairly reasonable. I don't think you're really protected from poisoning, unless "poisoning" only applies to certain kinds of DNS spoofing. Specifically, first note the exceptions to the djbdns security guarantee (emphasis mine):

      • Bugs outside of djbdns, such as OS bugs or browser bugs. (People could seize control of BIND 9.1 through an OpenSSL buffer overflow, but that was a bug in OpenSSL, not in BIND.)
      • The vulnerability of DNS to forgery. (BIND's port reuse makes blind forgery much less expensive, but this is a quantitative difference, not a qualitative difference. The DNS architecture needs cryptographic protection.)
      • Denial-of-service attacks. (BIND 9's fragility makes denial of service completely trivial; but an attacker can easily take down the Domain Name System without using any of BIND's bugs. The DNS architecture needs to be decentralized.)

      Specifically, his forgery page points out that a spoofing attack based on the birthday paradox can still work... although probably tens of millions of packets are required. This page, which I think I got off slashdot before, uses the TCP sequence-number guessing tools to try to attack it. It's probably not quite as secure as djb estimates, but probably still in the millions. They don't seem to have actually run numbers for the randomized-port plus randomized-id, so it's unclear whether they actually attacked that thoroughly.

    5. Re:Informative Links: by ldspartan · · Score: 5, Informative

      apt-get install runit djbdns-installer
      build-djbdns
      dnscache-conf-fhs nobody nobody /etc/dnscache 127.0.0.1
      ln -s /etc/dnscache /var/service/

      Granted, not super-simple, but certainly not hard.

    6. Re:Informative Links: by carpe_noctem · · Score: 5, Informative

      DJB is going to turn into the next RMS if he doesn't stop spouting at the mouth with how inferior all of his competitor's software is. Even his documentation is arrogant, for chrissakes.

      And I'm sorry, but bind9 isn't that complicated. I found djbdns to be much clunkier and difficult to set up. Like all of DJB's software, it relies on retarded configuration files and bizarre notation.

      Don't get me wrong here; I'm a qmail admin myself and I love it, but I dislike it when people talk about his software like it was written by Moses and God and given to mankind for all of eternity. It may be pretty stable and secure, but it lacks common usability and many features of other, traditional DNS software.

      --
      "Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
    7. Re:Informative Links: by Just+Some+Guy · · Score: 4, Insightful
      First, djbdns isn't Free Software, which means that a lot of us won't touch it with a ten-foot pole. See the recent BitKeeper debacle for reasons why that's the pragmatic rationale and not just an ideological decision.

      so much more reliable than BIND

      I have never, not once, ever had BIND fail. I doubt I'm the best DNS admin anywhere, so I imagine it works well for a lot of other people as well.

      Why am I putting my users at risk?

      Because my secondary DNS servers, provided by my registrar, are out of my control. I can't install rsync on them to support the functionality that Dan left out of djbdns.

      If you're a DNS admin, don't waste your time with bugs from the 1990's.

      I'll agree with that. Upgrade to the most recent version of BIND and get on with life. OpenBSD's support of that policy is a pretty strong endorsement.

      --
      Dewey, what part of this looks like authorities should be involved?
    8. Re:Informative Links: by Just+Some+Guy · · Score: 3, Informative
      DJB's software is distributed as source code without any "license".

      Which also means that you can't distribute anything but patches even if you wanted to. Forget about making it part of an OS base distribution, or using any his the proclaimed "better" code to improve any other projects. Basically, it's a proprietary product that happens to ship with source.

      Put another way, I could theoretically provide instructions for replacing Windows' HTML renderer with Gecko, but that doesn't mean that it's a Free (or even Open Source) system.

      I understand your point, truly, but I just don't agree with it.

      djbdns includes an AXFR server.

      That doesn't do much for those who need IXFR.

      --
      Dewey, what part of this looks like authorities should be involved?
    9. Re:Informative Links: by cmacb · · Score: 5, Insightful

      In my experience, software issues occur for one of two reasons:
      (1) "Broken" code:.....

      (2) Bad communication / misuse of code:....

      You left one out:

      (0) Bad Design: The code does everything you intended it to do and the users are using it properly, but you didn't think of all the possible states in which the code could find itself and decide what to do about them.

      This is often lumped in with (1), but shouldn't be IMHO. It's one reason I think that comments in code are valuable (as are formal design documents) since it forces the person, or people doing the design and coding to restate their intentions in at least a couple of different ways.

      I have written and worked with well written specs and they tend to reduce the number of pure coding errors by leaving less to the imagination of the coder. Well written specs can still fail to account for all possibilities however and that's a good reason to have meaningful design discussions (rather than the formally mandated ones that people attend these days in body but not mind).

      There are many people today who think of themselves as ace coders. The world would do well to have more people who are design experts who don't practice coding at all. The two disciplines complement one another well.

    10. Re:Informative Links: by Just+Some+Guy · · Score: 3, Insightful
      I am curious why it is you need IXFR. What kind of network do you have the is unable to send or receive entire zones via AXFR?

      Two words: dynamic DNS.

      There are a lot of little single-entry updates to some of our zones, and IXFR transmits only the changed entries to the slaves.

      How come your zone files are so big, and how come you network is too slow to transfer entire zone files?

      Reverse that: even though our zone files aren't terribly big, why would we want to transfer the whole thing each time? It's the difference between sending a patch file instead source tarball for every update. Isn't efficiency supposed to be a good thing, even when it's not absolutely necessary?

      --
      Dewey, what part of this looks like authorities should be involved?
  2. Same article, 2010. by Silverlancer · · Score: 5, Funny

    The InfoCon is currently set at psychadelic purple-green in response to the realization that Windows is still insecure, even now that Longhorn has been out for nearly 3 years, and has reached service pack 23. We originally went to psychadelic purple-green because we were uncertain of the mechanisms that allowed seemingly "secure" systems to be vulnerable to this issue. Now, however, we know of the mechanisms--Microsoft still makes shitty products, and Windows is still buggy and vulnerable.

    In other news, water is wet.

  3. Update on the Update by Hulkster · · Score: 5, Informative
    That SAN's report actually came out yesterday, the 7th, probably when the article was submitted ... and ISC uses UTC time for their postings. There's an update the next day (today as I write this) where ISC returns the status to Green because they understand the DNS Poisoning problem and have recommendations for people to protect themselves - although it's still an issue.

    Ironically, that same update describes Comcast's nationwide problems that started last night (US Time) and says it was caused by an equipment upgrade and not related to the DNS Cache poisoning. BUT, the problem was not network connectivity, but the DHCP's DNS Servers became unavailable. Read more at DSLReports and (from first hand experience), the work-around was fairly easy which was to manually specify the DNS server, rather than use the DHCP'd one. Comcast says it was resolved about two hours ago - scroll down to the bottom of the page.

  4. dnsmasq is vulnerable too by Ktistec+Machine · · Score: 4, Informative

    ...at least, according to this link from the lwn.net security page.

  5. Y'know, people keep telling me by Anonymous Coward · · Score: 5, Insightful

    "If you don't like windows don't use it"

    Or then telling me, when they find out I don't use it, that I've somehow forfeited the right to complain about it anymore; or trying to hold Microsoft blameless for their security holes because the people who run Microsoft software do so by "choice" so its the users own fault, and they are just hurting themselves.

    But then I keep finding that despite not using Microsoft software, I get negatively impacted by it anyway. Because the Code Red slaves on the network are bombarding me with a constant light DOS looking for that index server or whatever. Because I get bombarded with email viruses and spam from zombie PCs which, while harmless to me, make my email account less useful. Because my DNS server is running Windows.

    Lovely.

    So, look at this. I am being materially negatively impacted by a company whose products I don't even buy. How, exactly, is the invisible hand of the market going to help with this?

    1. Re:Y'know, people keep telling me by MSFanBoi · · Score: 3, Insightful

      Did you bother to read the SANS report? Windows 2000 Sp3+ and Windows Server 2003 DNS servers are NOT affected by this attack. YOu ain't running a 4 year old version of Linux, Unix or MacOS X are you?

    2. Re:Y'know, people keep telling me by wren337 · · Score: 3, Insightful


      The invisible hand of the market has never been any good at managing companies who damage their environment, wether it be pollution, overfishing, or zombie PCs spewing out packets. That's why we balance capitalism with rules and regulations.

  6. Last night... by bhsx · · Score: 4, Informative

    Last night I couldn't reach google, comcast.net (my GF's email[although I warn her everyday about relying on ISP-based email{lock-in and all that...}]), yahoo, and a number of other sites. Strangely, Happypenguin, slashdot and sourceforge all worked just fine. I figured it must have been dns issues and kind of assumed it was this poisonning that's been happenning. Needless to say, it was annoying as hell. Add to that; 800-comcast and 888-comcast were giving fast busy signals, so their call center was being DDOS'd by a swarm of angry customers.

    --
    put the what in the where?
  7. From the Internet storm-in-a-teacup dept... by Eyeball97 · · Score: 5, Informative

    From the article:

    "On Windows 2000 SP3 and above, the DNS server DOES protect against DNS cache pollution by default. The registry key to protect against the poisoning is not necessary: the value is TRUE if the registry key does not exist"

    In other words, many or most 2000 installations should be secure against pollution if their admins posess the slightest clue.

    "Windows DNS --> forwarding to BIND4 or BIND8. Windows DNS server assumes that BIND scrubs out the poisoning attempt. BIND4 and BIND8 do NOT appear to scrub the attack. Windows DNS trusts the data and the Windows DNS cache will become poisoned."

    So much for "only affects MS servers" although the article does mention, and plays down ("ancient versions") the bind4/8 vulnerabilities.
    I'm left wondering how many admins have their dns servers in forwarding mode, and how many of those are forwarding to bind4/8 servers? Very few, I'd think.

    It's important to note, from what I've understood of it so far, that this exploit only affects the "MS server forwarding it's requests to a bind4/8 server" scenario which I would think, would be a pretty negligible number of DNS servers?!

    Another interesting thing that caught my eye, was "On Windows 2000, you should manage the DNS cache protection security setting through the DNS Management Console. On Windows 2000 below SP3, the "Secure cache against pollution" is not the default so you should enable it using the DNS Management Console.
    An admin who didn't already do this is dumb beyond belief, hardly a MS problem! Blaming it on MS is akin to blaming Ford if you forget to lock the door on your car. If you're a DNS admin and didn't think to check your configuration for this very old vulnerability it's time you hung up your admin hat!

    For the record, I'm no more a fan of Windows than I am of *nix - but how much you wanna bet this post'll raise 80% MS bashing comments, 10% "funny" comments, and maybe 10% useful DNS Admin comments?

    1. Re:From the Internet storm-in-a-teacup dept... by AK+Marc · · Score: 4, Insightful

      Blaming it on MS is akin to blaming Ford if you forget to lock the door on your car.

      Nah, It'd be like blaming Ford if they sold all cars without oil in them and had, on page 545 of the 2000 page manual, directions to add oil before use.

      Sure, they tell you and it is documented, but you shouldn't have the server install insecurely by default. The default should be secure, and then you need to enable the services you need. Less user friendly, more secure - that is why it isn't adopted by MS. They made a conscious decision to make it insecure (but easier to use). That is why MS bashing is justified.

      --
      Learn to love Alaska
  8. Get off the network by jeffmeden · · Score: 3, Insightful

    If we were really dealing with an ideal 'invisible hand' at work, the smart, money-saving people would leave 'the' internet and start their own security-required network, which would quickly become the larger network and regain the distinction as 'the' internet, thereby forcing everyone on the 'old' internet to get secure in order to join up. But that doesn't happen, does it. Sadly, the invisible hand is only good at two things, truly open marketplaces, and giving you the finger.

  9. Mod Parent Up by Daedala · · Score: 4, Informative

    It's an externality. The invisible hand of the market isn't going to fix things for you

    --
    What I say does not represent the views of my employers, my friends, my cats, or myself.
  10. link with explanations by Anonymous Coward · · Score: 4, Informative

    Here is a good explanation at security focus

    http://www.securityfocus.com/guest/17905

  11. Additional Bind 9 security by Anonymous Coward · · Score: 3, Informative

    Even if you are already running Bind 9, you should consider reading Rob Thomas' Secure BIND Template for how to best configure bind.

  12. Re:Comcast, last night all DNS servers down by stratjakt · · Score: 3, Interesting

    I'm a comcast customer, and fucked with my linux router for about an hour last night trying to figure out what the blue hell was going on.

    It has a habit of just shitting out every time my dhcp lease expires, rather than refreshing it and moving on with life, so I figured that was it, or perhaps dnsmasq (which I use to proxy for my lan) got fubared.

    Eventually I just plugged my cablemodem into a windows box, since they "just work" without fighting a bunch of resolv.conf or /etc/conf.d crap, and it had the same problem.

    At that point I realized it was their DNS servers, since I could ping them, but they wouldn't resolve queries, and I just waited it out.

    Interesting. Do you know for a fact that it was because of this poisoning stuff, and not because the new guy tripped over the cords?

    They could have had their dhcp servers send out, at least temporarily, a good upstream DNS server, rather than piss off umpteen billion customers.

    --
    I don't need no instructions to know how to rock!!!!
  13. Simple explanation by Otto · · Score: 5, Informative

    DNS Poisoning is possible because of the way some DNS servers work.

    When you want to lookup a site, you send a request to your DNS server, which then does the lookup and returns the results to you.

    Say you need to know the address to www.yahoo.com. You ask the DNS server for it. It doesn't know, so it looks at what it does know. In the simplest case, it knows the address of the DNS server for *.com, so it asks him. He replies that he doesn't know either, but that he knows *.yahoo.com's DNS records are stored at x.x.x.x. So your DNS server goes and asks x.x.x.x. He does know where www.yahoo.com is, tells your DNS server, who then sends you back the address.

    Typically, a DNS Server is running for a lot of users at once, so it improves speed by caching the results of these queries. So if you asked for www.yahoo.com again, your DNS server looks in the cache, finds that www.yahoo.com is in there, and gives you the answer right away. No need to look it up, time saved all around.

    DNS Cache Poisoning is where an attacker tricks a DNS Server into caching incorrect information. This can happen by having a rogue server setup somewhere. So say the nameserver for www.badguy.com has records that say his name is also www.yahoo.com. When you lookup www.badguy.com, and get to that point, badguy.com says "hey, this is my address, and here's some other names that I'm known by: www.yahoo.com". Your DNS Server then stores all that info in his cache. Later you lookup www.yahoo.com and get back the address for www.badguy.com instead.

    That's a slightly oversimplified way to explain it, but that's the gist of it. Somebody can trick your DNS server into giving back bad info. This is a critical security issue, because say they poison your cache and fool you into connecting to their server instead of, say, your bank's. They then give you a web page that looks just like your bank's does, you login as normal, and suddenly they have all your cash.

    Many DNS servers are immune to this. How is simple: They don't cache stuff when badguy.com says he's also yahoo.com. They always go ask who yahoo.com is and only cache that more trustworthy answer.

    However, the DNS system is setup as a hierarchy. Your DNS Server may not talk to root servers all the time, he might route all his queries through another, bigger DNS server. One of the bugs discovered here is that even if your DNS server is not vulnerable, the one just upstream of it might be, and that can propagate down to yours.

    So there you go.

    --
    - Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.