Slashdot Mirror

← Back to Stories (view on slashdot.org)

Attack Code Published For DNS Vulnerability

Posted by samzenpus on from the protect-ya-neck dept.

get_Rootin writes "That didn't take long. ZDNet is reporting that HD Moore has released exploit code for Dan Kaminsky's DNS cache poisioning vulnerability into the point-and-click Metasploit attack tool. From the article: 'This exploit caches a single malicious host entry into the target nameserver. By causing the target nameserver to query for random hostnames at the target domain, the attacker can spoof a response to the target server including an answer for the query, an authority server record, and an additional record for that server, causing target nameserver to insert the additional record into the cache.' Here's our previous Slashdot coverage."

72 of 205 comments (clear)

  1. Here we go... by LostCluster · · Score: 4, Interesting

    This has to be the worst time ever to be a web surfer. How long until we see the major networks broadcasting the legit IP quads of sites we want to reach?

    1. Re:Here we go... by Carnildo · · Score: 4, Informative

      This has to be the worst time ever to be a web surfer. How long until we see the major networks broadcasting the legit IP quads of sites we want to reach?

      There's nothing new about this. DNS cache poisoning attacks have been found before, and the internet hasn't melted down yet. If you're paranoid, run your own caching resolver.

      --
      "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
    2. Re:Here we go... by Darkness404 · · Score: 3, Insightful

      This has to be the worst time ever to be a web surfer.

      Ummm... No. Today I can easily surf the 'net with just about every ad blocked, have Flash blocked when I want it to, but re-enable it for say, YouTube, all at the click of a mouse. I can use an OS and browser that is free and open source. I can surf 100% anonymously easily. I can download every video game I played as a child in less than an hour. And I can hear just about any song I ever would want to hear in less than a minute.

      Sure, some things suck today, BT throttling, the ISP's "No-Usenet" crusades, but all in all, it is a better time than the very early 2000s or the late 90s.

      --
      Taxation is legalized theft, no more, no less.
    3. Re:Here we go... by Vectronic · · Score: 4, Funny

      "And I can hear just about any song I ever would want to hear in less than a minute."

      Shit, you should check out some of the songs that are longer than a minute, there's some good ones out there, but, yes...those quick little punk ditties are good too.

    4. Re:Here we go... by Martin+Blank · · Score: 5, Interesting

      You may still not be safe. If someone can fire off a XSS attack through your browser, it could do enough lookups to make you vulnerable. Combine this with a periodic other run to a controlled server to grab your source port for guessing (presuming that you have not patched), and you may have a problem.

      Granted, it's unlikely that you would explicitly be targeted, and things like NoScript help defend against it, but there are still possible gaps. In fact, there are several tens of million of systems which will remain vulnerable for some time to come; I haven't seen many SOHO router firmware fixes released so far, and a lot of people point to their routers for their DNS.

      --
      You can never go home again... but I guess you can shop there.
    5. Re:Here we go... by Mordok-DestroyerOfWo · · Score: 2, Funny

      Maybe he just speeds them up so they fit to a nice round minute. I for one would love to hear Freebird sped up so it lasts a minute.

      --
      "Never let your sense of morals prevent you from doing what is right" - Salvor Hardin
    6. Re:Here we go... by Vectronic · · Score: 4, Interesting

      lol... you should try it, then you wouldnt think so... I just did (in Sound Forge)... cut it down to 1:08, its just noise... cutting it down to 50% is alright though (4:35)... but somewhere around 65% (5:57) is about right, sounds kinda "proper".

    7. Re:Here we go... by Anonymous Coward · · Score: 5, Insightful

      Yes, there was. Before there was bailiwick filtering, spoofing was even easier. Back in the days, DNS servers would even accept "responses" with bogus data out of the blue. We've come a long way and we don't stop here. A patch of bad weather is ahead, but the sky is not falling.

    8. Re:Here we go... by Anonymous Coward · · Score: 4, Insightful

      This attack vector has been around for /years/. Just look at the list of affected systems. Some friends and I had stumbled on this a few years ago (yes, and the fact that you can insert yourself as an authoritative nameserver for that domain,) but we figured it was so obvious that it didn't need to be announced. That coupled with the fact that phishing wasn't really as popular back then. But now that the cat is out of the bag, as it were, you definitely want to patch your machines if they have not been. This is mostly dangerous to people who use Nameservers of large ISPs (which admittedly is a large portion of the internet userbase.)

      I guess this is just a wake up call that if you find such large flaws in network systems that could possibly affect millions, if not billions of users, that you should try to get the word out and get the products fixed beforehand.

    9. Re:Here we go... by Anonymous Coward · · Score: 3, Informative

      You can run your own recursive resolver which only talks to authoritative DNS servers. You can configure it to use random source ports if you want to make this attack much more difficult. Then an attacker would have to send you billions of spoofed packets to poison your DNS. That seems a little excessive for exploiting just one user. You could make it even more difficult by rate limiting your resolver (you're its only user after all).

    10. Re:Here we go... by afidel · · Score: 2, Informative

      Heck, MOST of the corporate firewalls don't do the right thing, so even if your clients and DNS server are patched you may STILL be vulnerable! Unless your firewall does transparent port passthrough (IE NAT but not PAT) you are vulnerable. For most firewalls this means you have to put a caching resolver in the DMZ and point internal servers and/or clients to it to be fully protected. Oh and don't forget things like anti-spam appliances, most are pointed directly out to the internet for DNS but not all are out in the DMZ.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    11. Re:Here we go... by afidel · · Score: 2, Informative

      Most large ISP systems are already patched as they were part of the insider group that got the patches before they were publicly announced. As of yesterday Comcast had some unpatched DNS servers and so did AT&T wireless, but those were the only ones I had seen reported as being unpatched.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    12. Re:Here we go... by spankymm · · Score: 4, Informative

      Yes - go read Amit Klein's papers on trusteer.

      Sending only a handful of more carefully calculated responses is also more likely to succeed if the victim is using mitigation techniques such as rate throttling.

      Even using source port randomization doesn't help as much as a lot of people think. You don't get one 32-bit PRNG, you get 2x 16-bit PRNGs. Each of these can be attacked separately. If you could narrow each of these down to 10 likely guesses, you only have to send 100 replies.

      --
      http://cafepress.com/spankymm - for the Masturbating Monkey in you!
    13. Re:Here we go... by ILuvRamen · · Score: 2, Funny

      And also a solar storm can knock out the entire internet and power grid. And at any time we can be hit by a gamma ray burst or a black hole from the LHC can suck us all up. Yeah, internet security is never going to be 100%, DUH! Is it really even worth mentioning?

      --
      Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
    14. Re:Here we go... by Martin+Blank · · Score: 4, Informative

      Where I work, we run the servers through a proxy firewall with a DNS proxy service, and the DNS service on the firewall has been patched for this vulnerability. For traffic run through it, it doesn't preserve source port from the DNS servers, and from a quick glance, the source ports on requests seem to be randomized, so I think from that perspective, we may well be safer even for unpatched servers. However, our setup seems to be the exception, and we may have a couple of other networks (physically and logically separated from the primary) that do not have the benefits of this arrangement.

      --
      You can never go home again... but I guess you can shop there.
    15. Re:Here we go... by MadMidnightBomber · · Score: 4, Funny
      Can someone please send me the HOSTS file for the Internet?

      kthxbye

      --
      "It doesn't cost enough, and it makes too much sense."
    16. Re:Here we go... by Lincolnshire+Poacher · · Score: 2, Interesting

      You made me laugh, but as with all humour there is a grain of truth within.

      Curiously I spent some time yesterday attempting to estimate the number of zones currently known to DNS. Perhaps there is a better approach ( one that, say, inquires against DNS ) but by using Teh Googler to search for site:.${TLD} I came up with these order-of-magnitude results:

      • .com 7,980,000,000
      • .org 1,950,000,000
      • .net 2,140,000,000
      • .info 195,000,000

      These numbers just seem insane. Can anyone advise?

    17. Re:Here we go... by spinkham · · Score: 4, Informative

      Different vulnerability, that tool checks for non-random TXID, not this exploit.
      This exploit changes the game in letting other exploits work well.
      It's not so much a new class of attack, as a way to give you infinite chances to use the old attacks. If you don't have a IPS checking for this, an attacker who can submit recursive queries to your resolver and wants to poising your DNS will eventually be successful. Publicly available tools work in one minute, Dan says coding in C on a fast connection he's able to do it in 10 seconds.
      Has DNS been broken this badly before? Yes, multiple times. However, the will and knowledge of how to use DNS cache poising for further evil is much higher now then it was in the past. Also, we are becoming increasingly dependent on the Internet, and attacks on the infrastructure do more then just keep us from our news sites.
      As Dan says, "Patch. Today. Now. Yes, stay late."

      --
      Blessed are the pessimists, for they have made backups.
    18. Re:Here we go... by spinkham · · Score: 2, Informative

      The best known unpatched attacks really had no upper bound. You got one chance to attack, then had to wait for the records to timeout before you could try again.(usually set from 1 hour to 1 week, depending on the service)
      What this vulnerability does is give you infinite chances to attack with no delay, so you can try 1000 times a second if your connection is fast enough. If you can do that, you will win, and quickly.
      The attacks themselves have not really changed, we can just use them much faster.

      --
      Blessed are the pessimists, for they have made backups.
    19. Re:Here we go... by LostCluster · · Score: 2, Informative

      That's a count of URLs, not domains within each TLD. For example, site:cnn.com accounts for 3,540,000 of your .com results.

  2. Google by bdasd5 · · Score: 5, Funny

    And here I am, thinking I was on Google.

  3. The Book Of Internets, Chapter Three, Verse Twelve by Aussenseiter · · Score: 5, Funny

    And lo, all unpatched websites were rendered unto Goatse.

  4. DNS sploit result by hostyle · · Score: 2, Funny

    %> /usr/bin/treaceroute fruity.stuff

    traceroute to fruity.stuff (1.2.3.4), 30 hops max, 42 byte packets
    evil bit detected. re-routing ...

    --
    Caesar si viveret, ad remum dareris.
  5. Re:The Book Of Internets, Chapter Three, Verse Twe by Bryansix · · Score: 4, Informative

    It doesn't work that way. DNS local servers are either run by a corporation or by your ISP. Either one could be hacked now. So it's not if the website is patched. It is if the DNS server your computer is using is patched.

  6. Re:The Book Of Internets, Chapter Three, Verse Twe by LostCluster · · Score: 4, Informative

    unpatched websites

    Have you been following this story. It's not sites that need the patch, it's DNS servers. Site owners are powerless if the ISPs fail to protect their domain name from the an entry leading to the spoof site's IP address.

  7. I know by Daimanta · · Score: 4, Funny

    I exploited this and let a huge cache of people visit my site(127.0.0.1) in stead of the site they wanted to go. It was kickass.

    --
    Knowledge is power. Knowledge shared is power lost.
    1. Re:I know by Anonymous Coward · · Score: 3, Funny

      HAHA, fool! now that I know your ip address, I shall soon hack you into oblivion!

    2. Re:I know by Anpheus · · Score: 4, Funny

      Don't worry, I just disabled his intern

      [CARRIER LOST]

  8. DNS Glue poisoning was already known... by nweaver · · Score: 2, Informative

    The interesting thing, DNS glue (additional) poisoning WAS known, just not widely. EG, the SECOND hit for "dns glue poison" in Google gets http://lists.oarci.net/pipermail/dns-operations/2006-May/000537.html.

    Quoting Emin Gun Sirer:
    Incidentally, the client should be wary of trusting glue records unconditionally, as they are non-authoritative. A well-known cache poisoning attack works by tricking clients to believe glue records for all time and for all queries. Glue should be trusted for only the lookup in question for only the duration of that lookup. We'll assume that the clients treat glue properly (even though many do not).

    Thus it was already known, two years ago, that trusting Glue records is "well-known cache poisoning attack". Just apparently, not well known enough by the authors of Bind, Microsoft's DNS server, Cisco, etc.

    --
    Test your net with Netalyzr
    1. Re:DNS Glue poisoning was already known... by harlows_monkeys · · Score: 2, Funny

      That's not the attack. Try again.

    2. Re:DNS Glue poisoning was already known... by Anonymous Coward · · Score: 5, Insightful

      Congratulations, you confused the mods. Bailiwick checking was added to all DNS resolvers in response to glue poisoning and made cache poisoning through spoofed glue records very difficult. The current problem is that the typical filter rules are insufficient for stopping a glue poisoning attack which appears to come from the authoritative server: Kaminsky found a way around the glue poisoning countermeasure. This means that a very dangerous kind of attack which was thought to be defeated is now possible again.

    3. Re:DNS Glue poisoning was already known... by szap · · Score: 2, Insightful

      No, but it's a "feature" that makes the attack possible. Turn it off, or make it stricter, and the attack falls apart.

    4. Re:DNS Glue poisoning was already known... by nweaver · · Score: 2, Insightful

      Read the quotation again...

      Emin Gun Sirer: "Glue should be trusted for only the lookup in question[Emphasis added] for only the duration of that lookup.

      This says "No Bailiwick checking at all": glue (additional) records should NEVER be cached. Period.

      --
      Test your net with Netalyzr
    5. Re:DNS Glue poisoning was already known... by blueg3 · · Score: 4, Informative

      It only works because the DNS server caches the result of the glue record, against the recommendation of the above writer.

      The glue record is necessary if, say, you need to provide the address of a nameserver when you provide the name of the authoritative nameserver for a query. You should use that glue record for that query only.

      What happens is that an attacker queries lbixds.google.com (or some other nonexistent domain) and then sends the server he issued that request to a response to that query that also has a glue record giving a false address for ns.google.com. If the DNS server only used that false address for resolving lbixds.google.com, cached lbixds.google.com, and left it at that, then lbixds.google.com would be the only entry the attacker could poison -- basically useless. However, the DNS server caches the glue record giving the address for ns.google.com, too.

    6. Re:DNS Glue poisoning was already known... by Martin+Blank · · Score: 2, Insightful

      Because that's how DNS generally treats requests that fall within the same domain (known as bailiwick protection). The question that you ask has been asked numerous times, and there's certainly good reason to review the logic behind Additional Resource Record handling, but tinkering with DNS is a very tricky thing. A proposed solution may fix the problem, but break other things on a much wider scale.

      --
      You can never go home again... but I guess you can shop there.
    7. Re:DNS Glue poisoning was already known... by blueg3 · · Score: 4, Informative

      So, first part. An attacker is trying to poison a DNS cache. Generally, he'd be interested in poisoning a DNS server that's a caching server for a group of people, like one run by a regional ISP. An efficient way of getting a poisoned record into its cache is to issue a request to that server, and then immediately send a forged response to the server. So, for example, I issue my local nameserver a request for abcd.google.com. It doesn't have this cached (you don't say!), so it starts trying to resolve it. I quickly send it a forge response for abcd.google.com, and it believes me. Transaction IDs make this a slim chance that it'll believe me, but it's still a chance, and I can issue a ton of requests to different fake addresses.

      The answer to the second part is tricky. Basically, say I want to resolve mail.google.com. I have nothing about google.com in my cache. So I contact the nameserver for .com. It isn't authoritative for the google.com domain, but it knows who is, and it tells me so. (Say that it's ns.google.com.) Knowing ns.google.com is the nameserver for that domain is useless without its IP address, so it tacks on a glue record that gives me the address of ns.google.com. Now I can contact ns.google.com to ask it the IP of mail.google.com.

      Originally, these records were just accepted. This is a huge security hole: I could request bob.domainiown.com, send a legitimate response (I control domainiown.com), and tack on a record telling them where ns.google.com is, even though I'm not authoritative for that. Now, such a record can only be attached to a request that is in the same domain, so I need to ask for bob.google.com to attach an ns.google.com record, which requires me to forge a response.

      There are a number of situations where these auxiliary records are necessary, so they can't just be ignored. However, they shouldn't be cached -- they should be used only for the one request that generates them.

    8. Re:DNS Glue poisoning was already known... by szap · · Score: 3, Informative

      Maybe it wasn't clear, but I was going to echo nweaver's reply:

      glue (additional) records should NEVER be cached. Period.

      djbdns's total lack of support for glue records (IIRC) is one of the reasons it's one of the few old dns software not vulnerable. And that's the point I was trying to drive: the glue records feature made the cache poisoning possible -- I just read the exploit code, and it uses Additional Section to inject the malicious entry. Without this feature, like in djbdns, the exploit wouldn't work.

      Yeah, I should have said "don't cache glue records", not "make it stricter" mea culpa.

  9. Re:And the "fix" isn't by cortana · · Score: 3, Interesting

    The fix is DNSSEC.

  10. Re:CONFIRMED: Steve Jobs has AIDS !! by DurendalMac · · Score: 3, Funny

    For fuck's sake, whoever is DDoSing 4chan needs to stop already! The tards have spread out and are trolling the whole internet. At least the 4chan cesspool kept them all mostly in one place. Now they're left with nowhere to go and are taking their idiocy all over the internet!

  11. See if you're vulnerable by neokushan · · Score: 4, Informative

    There's a tool on the site below that apparently checks if the DNS you're currently using is vulnerable to such an attack. I checked my work DNS and my home DNS - both were fine. Apparently OpenDNS is secure as well, so there's probably nothing to worry about.

    http://www.doxpara.com/

    --
    +1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
    1. Re:See if you're vulnerable by maXXwell · · Score: 5, Informative

      The DNS OARC (http://dns-oarc.net) has an improved version:

      http://entropy.dns-oarc.net/test/

    2. Re:See if you're vulnerable by AnyoneEB · · Score: 2, Informative

      He also links to a way to check from the command line: porttest.dns-oarc.net -- Check your resolver's source port behavior. That method also allows you to test DNS servers other than the one you are using, so it provides a simply way to tell if your ISP has fixed their servers yet without changing your own config. The sidebar on doxpara just shows a 404 for me.

      --
      Centralization breaks the internet.
    3. Re:See if you're vulnerable by gQuigs · · Score: 3, Informative

      So.. What's their IP?

      It looks like 66.240.226.139 to me...

    4. Re:See if you're vulnerable by afidel · · Score: 2, Interesting

      Yeah, they're probably behind a firewall with PAT since Verizon was one of the ISP's involved in the private patch effort AFAIK. The problem is the DNS client/server patches are broken most firewalls and this was not known till people started testing after the patches were publicly released. You can use OpenDNS or L3's resolvers as I know those are patched and NOT behind a PAT firewall and are publicly available.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    5. Re:See if you're vulnerable by geminidomino · · Score: 2, Insightful

      Doesn't OpenDNS fail to properly return NXDOMAIN results, or is that another service (I've not slept in >24 hours, so I could be mistaken.)

  12. Re:I can't contact ftp.debian.org this last 2 days by Vectronic · · Score: 3, Informative

    try http://ftp.debian.org/

    for a bit more info:
    http://wiki.debian.org/ftp.debian.org

  13. Re:The Book Of Internets, Chapter Three, Verse Twe by rs79 · · Score: 3, Insightful

    Um... even if you run your own caching server, if your ISP runs a "transparent" web proxy it will do its own dns. You may in fact run DJB which is immune from this bug, but if your ISP runs an unpatched dns server you'll still be scrod despite running your own caching server.

    Slick huh?

    They need to take the dns lookup out of the web proxies.

    --
    Need Mercedes parts ?
  14. More edifying than TFA's script by laburu · · Score: 3, Informative

    Cédric Blancher's annotated command-line exploration of the “in-bailiwick” DNS vulnerability

  15. Use djbdns! by Neanderthal+Ninny · · Score: 2, Interesting

    Even though it is not as popular as BIND but djbdns doesn't have this vulnerability. Remember Dan J Bernstein had the original idea in 2002 about this issue and Dan Kaminsky and Paul Vixie looked into this and found these vulnerabilities.

    1. Re:Use djbdns! by PlusFiveTroll · · Score: 2, Interesting

      6 root root 4096 2002-10-11 11:10 dnscache

      That list my oldest still running djb dnscache install, yes the kernel and glibc have been upgraded around it. The mail server it's on has handled 750k messages per day. Does rdns lookup on smtp connections from servers, from our tests almost every valid smtp mail source has a reverse dns name of some sort. Spambots virus are the largest amount of mail from unnamed IPs.

      This being said, if your running out of file descriptors you probably have one of the following issue.
      -Linux kernel 2.4, Solaris or AIX. (recent bind beta fixes most of this)
      -Messed up ulimit settings.
      -Poorly engineered dns caching network.

      Trying to run all your clients on a few 'big/fast' caching servers in general is a poor design that uses more bandwidth (to contact the centrally located dns server) and puts the entire userbase at risk if one of the caches does become poisoned. The cable company I worked with realized this years ago and distributed the dns load to each market with at least two dns servers in each city, then more per 'area' as the customer base grew. The boxes were diskless with an extremely stripped linux/glibc installs with dnscache, SSH, and SNMP support. No hard disks let these servers run more like an appliance, they were easily switched out, and rarely suffered failures. Just put the new numbers for the node in the dhcp server and over the period of a day or so as the dhcp clients renewed the load balanced out.

      As per D.J.s security suggestions, only ip addresses that belonged to their networks could resolve off the cache. This is significant as many large ISP currently allow anyone to resolve DNS off their networks. Which in the current security context no trickery or fishing is necessary to poison an ISPs cache. A hacker anywhere in the world could poison the cache at their leisure.

      They used Bind on there authoritative nameservers, since it fit in with their toolchain, but they turned off the forwarding mode so queries outside of the servers scope would not be resolved.

      It's been awhile since I worked there, but I'm sure someone from the network security department after reading the news, called a meeting on how they were going to deal with this issue. I'm sure he may have been surprised when the answer was 'We fixed that 5 years ago'. It's funny, a lot of people wrote off D. J. Bernstein, not because of what he said, but how he said it. Time has now shown he was right, and even Paul Vixie admitted that he was wrong.

    2. Re:Use djbdns! by PlusFiveTroll · · Score: 2, Insightful

      Cryptography is not magic.

      While I don't expect the AC to read this, it lays out why we are not going to see DNSSEC for some time. http://www.internetnews.com/security/article.php/3758566/Is+DNSSEC+the+Answer+to+Internet+Security.htm

      http://en.wikipedia.org/wiki/DNSSEC is also suprisingly good with a lot of easy to read information, and includes why the current DNSSEC specs may open up more security risks.

      example1 >Note that someone could deliberately or inadvertently cause a degradation of service by sending large number of queries for uncached RRs, for example, traversing the NSEC RR chain for a large TLD.

      example2>DNSSEC forces the exposure of information that by normal DNS best practice is kept private. NSEC3 drafted in march 2008 may correct this.

      Also, most people don't realize that DNSSEC is not an end-to-end security mechanism. It only protects DNS data between an authoritative name server and a caching name server. Currently no operating system resolver libraries that I know of verify that the caching server is providing legitimate results to DNSSEC protected domains. Until your OS or applications provide DNSSEC support, running your own DNSSEC enabled cache is the only way to currently protect your dnssec queries from being forged.

  16. Re:The Book Of Internets, Chapter Three, Verse Twe by blincoln · · Score: 3, Insightful

    They need to take the dns lookup out of the web proxies.

    The problem with doing that would be that it would then be impossible (at least using current DNS software, as far as I know) to allow clients on an internal network to have limited internet access without allowing them to perform DNS tunneling (and thereby upgrade their internet access to "full").

    Once someone (anyone?) releases a DNS package that allows firewall-style rules (e.g. "client on this range of IPs may only resolve subdomains of the following domains...", "clients may only look up X distinct subdomains each of Y domains every Z hours" then the picture would probably change.

    --
    "...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
  17. Re:And the "fix" isn't by _Knots · · Score: 4, Interesting

    DNSSEC is a steaming pile, though after thirteen years, many RFCs -- each of which read "This Time For Sure!" -- it may in fact be workable.

    It is _a_ fix to this problem, but there are many simpler fixes that seemingly are being discarded for reasons I don't quite understand -- perhaps more full threat models are the target problem, but securing DNS doesn't make sense if we're then going to use HTTP to the addresses resolved! On the flip side, if we were using TLS everywhere, then dicking with DNS amounts to a DoS, which is much less powerful than the arbitrary redirection attacks we have now.

    One such simpler fix is using EDNS0 to add a nonce RR (goes out in the Query, comes back in the Additional section). And while EDNS0 is subject to rollback attacks, DNSSEC depends on EDNS0. So that's not an excuse not to use it.

    --
    Anarchy$ dd if=/dev/random of=~/.signature bs=120 count=1
  18. BIND is not a demon by DragonHawk · · Score: 2, Informative

    it's an acronym for "Berkeley Internet Name Daemon"

    Actually, BIND stands for "Berkeley Internet Name Domain". Berkeley did the seminal work for the original DNS implementation, and that's what they called their idea. BIND is a suite which includes a stub resolver, some utilities, and named (name daemon). (Along with some other stuff, now.)

    If you want to get fancy, "ISC BIND named" is the proper name of the software we're talking about. ISC is the company, BIND is the product, named is the program.

    See: http://www.isc.org/sw/bind/index.php

    --

    dragonhawk@iname.microsoft.com
    I do not like Microsoft. Remove them from my email address.
  19. BIND 9 named views for access control by DragonHawk · · Score: 3, Interesting

    Once someone (anyone?) releases a DNS package that allows firewall-style rules (e.g. "client on this range of IPs may only resolve subdomains of the following domains..."

    I think you might be able to do that with the "views" feature of ISC BIND v9 named, although I've never tried. I know you can define ACLs for clients and control how they see the DNS using the ACL. You should be able to define forwarding zones for the domains you want to work, and blackhole everything else. I think.

    http://www.isc.org/sw/bind/arm93/Bv9ARM.ch06.html#view_statement_grammar

    --

    dragonhawk@iname.microsoft.com
    I do not like Microsoft. Remove them from my email address.
  20. Unclear on the concept by DragonHawk · · Score: 2, Insightful

    Oh noes, the world is going to crash down around us! Just saying, why overreact?

    A problem you ignore will have full impact. A problem you prepare for and take counter-measures against is prevented from having a serious impact. That's the whole point.

    We spent great effort fixing Y2K bus, thus prevented the bugs from causing serious damage. Therefore, you conclude, we should not have fixed the Y2K bugs.

    I guess, since seat belts have saved lives, we should not wear them.

    Get it now? :-)

    --

    dragonhawk@iname.microsoft.com
    I do not like Microsoft. Remove them from my email address.
  21. Use OpenDNS if your ISP is vulnerable by duplicate-nickname · · Score: 5, Informative

    I used one of the tests below and found that my ISP's DNS servers were vulnerable. Now I am using the OpenDNS servers on all of my clients instead:

    208.67.222.222
    208.67.220.220

    Their servers are not vulnerable, and you can create an account to enable things like antiphishing at the DNS level (much better idea then a browser plug-in).

    If you find that your ISP's routers are vulnerable, your best bet is switch to OpenDNS...or just run your own caching server.

    --

    ÕÕ

  22. Microsoft's hamfisted "patch" by bizitch · · Score: 4, Informative

    In case anyone is dumb enough to use a Microsoft DNS server as a authoritative internet DNS server -

    MS has released two lovely patches -

    KB951746 and KB951748

    The problem with this fix is that it turns the DNS.EXE daemon into a UDP socket grubbing whore.

    After the patch, the DNS.EXE daemon grabs no less than 2500 freaking UDP sockets.

    This wreaks havoc on anything that - you know - needs UDP sockets on the same server.

    So far Zonealarm, Blackberry BES and Sphericall VOIP software all break with this "patch"

    Stay tuned for more fun to come ...

    --
    ---- "Logoff! That cookie shit makes me nervous!" - A. Soprano
    1. Re:Microsoft's hamfisted "patch" by Phroggy · · Score: 2, Informative

      ZoneAlarm breaks in the sense that it thinks Microsoft's new DNS resolver is behaving like malware and should therefore not be trusted. ZoneAlarm has a ridiculous little slider with three security levels marked "High", "Medium" and "Low"; if you set it to "High" (as recommended), you can't resolve DNS.

      ZoneAlarm has released a patch to work around the problem. You can set your security setting to "Medium" while you download the update.

      --
      $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
      $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
  23. help all the SOHO router people by paulbd · · Score: 2, Interesting

    so, there are a lot of us in the following position, no doubt: we run a router (linksys, whatever) that gets DNS from our ISP. lets assume that the ISP is patched. our local machines use the router for DNS. do we need to patch the router? are its DNS request services even accessible to the external network? can it be compromised in the same way that the ISP DNS could be? i have been wondering this ever since news of this problem broke, and i have still not seen a clear answer.

    1. Re:help all the SOHO router people by profplump · · Score: 2, Informative

      Generally the proxy on a SOHO router runs as a forward-only cache (or even just a simple proxy) to your ISP's DNS. As such it's really your ISP's DNS that is or isn't vulnerable, because you aren't ever going to see records from anyone else, nor will anyone else know you're asking for them.

      The test listed above -- http://entropy.dns-oarc.net/test/ -- will let you know what the rest of the world sees as your DNS source address, and whether or not that source is sufficiently randomized.

    2. Re:help all the SOHO router people by blueg3 · · Score: 3, Informative

      Most of these routers don't run caching, recursive resolvers -- they just forward the request to your ISP's DNS server. As such, they are immune.

    3. Re:help all the SOHO router people by Cato · · Score: 2, Informative

      Mod parent up! Home broadband/WiFi routers may well be vulnerable unless you've specifically checked.

      Unless you've checked the internals of your home router and whether it's using the wrong sort of DNS proxy/cache, I recommend *everyone* with a home router switches their client computers to using OpenDNS, so it's Windows/Mac/Linux directly requesting DNS services from OpenDNS. (If you have DHCP for your clients at least you only need to change the router, but any laptops should also explicitly use OpenDNS in case a WiFi hotspot has unpatched DNS.

      Then you can take your time about updating the router firmware. I happen to run DD-WRT and this doesn't yet have a patched version of dnsmasq - for some reason the author of dnsmasq wasn't included in the insider group that patched non-embedded OSes, Cisco/Juniper routers, DNS servers, etc.

  24. Re:The Book Of Internets, Chapter Three, Verse Twe by QuoteMstr · · Score: 2, Insightful

    Yes, DJB "recognized" the problem by lobotomizing DNS, and he refuses to consider what will solve the problem once and for all, DNSSEC. Right...

  25. Re:And the "fix" isn't by pfleming · · Score: 2, Funny

    Setec Astronomy

  26. Re:The Book Of Internets, Chapter Three, Verse Twe by rs79 · · Score: 2, Interesting

    If you want to support verisign forever, go with dnssec.

    --
    Need Mercedes parts ?
  27. NAT routers by smash · · Score: 3, Informative
    Be aware that if you patch your DNS server, and it sits behind a NAT that forwards requests, its possible that you are still vulnerable. Would suggest using one of the available tools, (eg on www.doxpara.com) to check your DNS, and if required/possible update your NAT firewall as well.

    Simply patching your DNS server may not be enough.

    --
    I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
  28. Test your own server by Akardam · · Score: 4, Informative

    A Google search revealed this way to test specific DNS servers from the command line (in case you're using a DNS server other than the one that's authoritative for the netblock you're in):

    Good:
    $ dig +short @208.67.222.222 porttest.dns-oarc.net txt
    z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
    "208.67.222.222 is GOOD: 26 queries in 0.1 seconds from 26 ports with std dev 17746.18

    Poor:
    $ dig +short @206.13.28.12 porttest.dns-oarc.net txt
    z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
    "206.13.28.13 is POOR: 26 queries in 0.2 seconds from 1 ports with std dev 0.00"

    More discussion on this method here:
    http://www.dslreports.com/forum/r20759262-CERT-VU800113-DNS-Cache-Poisoning-Issue~start=20

  29. Re:CONFIRMED: Steve Jobs has AIDS !! by Ant+P. · · Score: 2, Funny

    The idea of /b/ spreading outside of 4chan terrifies me more than the thought that my DNS might get hijacked, TBH.

  30. Re:Help Please by totally+bogus+dude · · Score: 2, Funny

    Unfortunately it.slashdot.org has already been poisoned; you actually posted that request to an elaborate mock-up of the real slashdot, and the replies are coming from l33t hackers who are supplying you with false DNS servers which currently appear to work correctly.

    You'd best disconnect from the internet and burn your computer. It's the only way to be sure.

  31. Re:DNSSEC today by slash.duncan · · Score: 2, Interesting

    What you've apparently missed (as you mentioned .org but not this) is that the .org folks (PIR) just got ICANN board approval to deploy DNSSEC at their gTLD level. This occurred at the 32nd Annual ICANN meeting in Paris (in June, I believe). Apparently PIR has been pushing DNSSEC for some time and is pretty much ready to go, altho it'll still take some time to actually get up and running.

    Here's one informative link I found on Google. Google for dnssec .org icann for more:

    http://blog.nominet.org.uk/insight/2008/06/icann-paris-dnssec/

    --
    Duncan
    "Every nonfree program has a lord, a master,
    and if you use the program, he is your master."
    R Stallman
  32. Re:And the "fix" isn't by Anonymous Coward · · Score: 3, Informative

    "DNSSEC is a steaming pile"...

    Yes! Unfortunately this is completely and utterly true. Unlike many of the great crypto tools we have available to us (ssh, pgp, https), DNSSEC increases complexity by an order of magnitude.

    Watch as you lose the ability to effectively block full zone transfers from your domain name since DNSSEC requires NSEC records, which are essentially a linked list of all your zone entries!

    Be amazed when you find out that you need to run a cron job to sign all of your zone files every 15 days!

    Become aghast when you find out that you then need a second cron job, running on an alternate server, that runs a script that checks all your zone files for signature expirations.

    Become horrified when you find out that a properly validating DNSSEC caching server will block domains with expired signatures with NXDOMAIN, since there were only four choices in the existing DNS protocol and that response was the least bad.

    Smirk as you find out that virtually no one at all is using DNSSEC. Run `dig nsec $DOMAIN` against some well known DNS zones, and find that practically no one (except for the ISC) is using it.

    Since there are political problems with the key signing heirarchy, ISC is setting up an alternate place to put your higher level keys in their DLV registry. .com and .net are not going to be implementing DNSSEC.

    I have gone through and encrypted everything I could on my servers recently. I attended a presentation by ISC about how great DNSSEC is. I came away convinced that it was a lot of hot air, and that ISC was trying to sell the Internet a bill of goods. DNS isn't perfect, but DNSSEC is a half baked solution that virtually no one wants, and I frankly can't ever see it ever becoming popular in anything approaching its current form. Not ready for prime time... back to the drawing board guys!