Ten Percent of DNS Servers Still Vulnerable

maotx writes "Even with the uproar caused by the recent DNS attacks, a recent study shows that roughly 10% of 2.5 million DNS servers show that they are still vulnerable to DNS cache poisoning. To put that a little bit more in perspective, of that 10% discovered, 230,000 were identified as potentially vulnerable, 60,000 are very likely to be open to this specific type of attack, and 13,000 have a cache that can definitely be poisoned." From the article: "The use of DNS cache poisoning to steal personal information from people by sending them to spoofed sites is a relatively new threat. Some security companies have called this technique pharming."

What?

[ucahg]

230,000 were identified as potentially vulnerable, 60,000 are very likely to be open to this specific type of attack, and 13,000 have a cache that can definitely be poisoned.

Okay, let's have it for unclear writing!

Seriously, what does this even mean? Of the 250,000 that are vulnerable, 230,000 are vulnerable, 60,000 are vulnerable, and 13,000 are vulnerable.

Okay, that clears it up.

Phor God's sakes!

[Zab+UvWxy]

Some security companies have called this technique pharming.

Phor phuck's sakes! I've had enough of this phreaking 733T-speak from the phucking security compaines! It was original with phreaking; it was mildly amusing with phishing; now it's just annoying.

Why not just leave the terminology as "DNS cache poisoning" and be done with it?
[/rant]

Re:Phor God's sakes!

[TheSneak]

-Pharming!? Who the hell makes up these names anyways?

-He's new sir. Guy by the name of "Daffy duck".

-You realize of course, that this means war...

Re:How can I check my own DNS configuration for th

[Malor]

I'm confused about this one too. This is what I THINK is going on with this exploit. Hopefully, someone who ACTUALLY knows will correct my mistakes. :)

One of the possible ways to set up a DNS server is as a 'forwarder'. This means that it doesn't do lookups itself, but rather passes all DNS requests to another machine, gets replies, and then sends replies to the clients. One reason you might do this would be to distribute DNS load in a big ISP; you have a few machines that do the actual outbound DNS determination, and then the cache ripples back to the servers that are actually talking directly to the clients. DNS is fairly low-load, relatively speaking... this architecture would date from when everyone was deploying 50Mhz machines as servers. I'll call the local BINDs 'caching' servers, and the one doing the actual lookups on the internet the 'point' server.

So in and of itself, this architecture isn't a problem. But one of the features of the DNS protocol is that any server can send back more data than what was actually asked for, even data that is totally unrelated to the main query. Caching BIND servers by default trust their point server. And, when functioning as a point forwarder, BIND4 and BIND8 apparently just pass along queries they receive without checking them. The point BIND assumes that the caching BINDs are checking, while the caching BINDs assume the point BIND is checking, and the packet never gets checked for sanity at all.

So Joe Hacker snoops around... he tries to find DNS servers on your network. Once he finds one, he queries it for a name in a domain he controls. (or he initiates a connection to a webserver on the same machine, which may cause the same DNS lookup). He watches for the request to his DNS server coming from a DIFFERENT machine. That often indicates a forwarder configuration.

So he waits for his cached info to expire, and does it again... except this time, his reply packet includes extra information, "Oh, by the way, www.microsoft.com is on joes.evil.server.here." If BIND4 or BIND8 is the functioning as the master lookup in a forward configuration, it just passes along the packets it receives. And when BIND is in a SLAVE configuration, it just trusts what it gets from the forwarder. So suddenly, your whole network is connecting to joes.evil.server.here instead of www.microsoft.com. And if it doesn't work, oh well, next DNS server... this is a very low-profile attack. You have to really be LOOKING for it to be able to see it.

Apparently, the workarounds are A) don't use a forwarder configuration. There's no real need for this anymore, even a cheap 1ghz machine with a gig or so of ram will serve tens of thousands of clients. B) if you MUST use a forwarder, use BIND9 (or, presumably, DJBDNS) as your 'point' machine. BIND9 does sanity checking when it's on point.

Hopefully I got this right. I haven't been paying much attention to this before, because I (rightly) didn't think it affected me. If I'm wrong, PLEASE correct me, I hate to spread misinformation.