Slashdot Mirror

← Back to Stories (view on slashdot.org)

Attack Code Published For DNS Vulnerability

Posted by samzenpus on from the protect-ya-neck dept.

get_Rootin writes "That didn't take long. ZDNet is reporting that HD Moore has released exploit code for Dan Kaminsky's DNS cache poisioning vulnerability into the point-and-click Metasploit attack tool. From the article: 'This exploit caches a single malicious host entry into the target nameserver. By causing the target nameserver to query for random hostnames at the target domain, the attacker can spoof a response to the target server including an answer for the query, an authority server record, and an additional record for that server, causing target nameserver to insert the additional record into the cache.' Here's our previous Slashdot coverage."

7 of 205 comments (clear)

  1. Google by bdasd5 · · Score: 5, Funny

    And here I am, thinking I was on Google.

  2. The Book Of Internets, Chapter Three, Verse Twelve by Aussenseiter · · Score: 5, Funny

    And lo, all unpatched websites were rendered unto Goatse.

  3. Re:Here we go... by Martin+Blank · · Score: 5, Interesting

    You may still not be safe. If someone can fire off a XSS attack through your browser, it could do enough lookups to make you vulnerable. Combine this with a periodic other run to a controlled server to grab your source port for guessing (presuming that you have not patched), and you may have a problem.

    Granted, it's unlikely that you would explicitly be targeted, and things like NoScript help defend against it, but there are still possible gaps. In fact, there are several tens of million of systems which will remain vulnerable for some time to come; I haven't seen many SOHO router firmware fixes released so far, and a lot of people point to their routers for their DNS.

    --
    You can never go home again... but I guess you can shop there.
  4. Re:DNS Glue poisoning was already known... by Anonymous Coward · · Score: 5, Insightful

    Congratulations, you confused the mods. Bailiwick checking was added to all DNS resolvers in response to glue poisoning and made cache poisoning through spoofed glue records very difficult. The current problem is that the typical filter rules are insufficient for stopping a glue poisoning attack which appears to come from the authoritative server: Kaminsky found a way around the glue poisoning countermeasure. This means that a very dangerous kind of attack which was thought to be defeated is now possible again.

  5. Re:See if you're vulnerable by maXXwell · · Score: 5, Informative

    The DNS OARC (http://dns-oarc.net) has an improved version:

    http://entropy.dns-oarc.net/test/

  6. Re:Here we go... by Anonymous Coward · · Score: 5, Insightful

    Yes, there was. Before there was bailiwick filtering, spoofing was even easier. Back in the days, DNS servers would even accept "responses" with bogus data out of the blue. We've come a long way and we don't stop here. A patch of bad weather is ahead, but the sky is not falling.

  7. Use OpenDNS if your ISP is vulnerable by duplicate-nickname · · Score: 5, Informative

    I used one of the tests below and found that my ISP's DNS servers were vulnerable. Now I am using the OpenDNS servers on all of my clients instead:

    208.67.222.222
    208.67.220.220

    Their servers are not vulnerable, and you can create an account to enable things like antiphishing at the DNS level (much better idea then a browser plug-in).

    If you find that your ISP's routers are vulnerable, your best bet is switch to OpenDNS...or just run your own caching server.

    --

    ÕÕ