Security Advisory: DNS Protocol Defect 1

[chipperMDW]

I haven't yet seen anything in this forum regarding the recently discovered vulnerability in DNS. Considering the scope and nature of this thing, I think a warning is in order.

Dan Kaminsky has discovered a serious flaw in DNS. Cache poisoning is easier than previously believed, and exploits have already been released since the issue became public. Here is a fairly good explanation of the problem; the short-term solution is to have resolvers use randmized source ports. Here are some resources to help test your setup.

In short, patch or upgrade your DNS servers, bother your ISPs to fix the issue on their servers if they haven't already, and bother your NAT device vendors to distribute fixes for your NAT devices (which likely negate any source port randomization you do inside the NAT-ted zone).

I'm amazed this isn't getting the publicity it deserves; many people are vulnerable to this and aren't going to know about it.

 

[GlenJohnson]

chipperMDW is correct, things are a bit dicey. This is from Security Focus I'm not paying bills over the net for a bit till I'm sure things have been patched.

Glen A Johnson
Microsoft Certified Professional

http://www.pickensplan.com/

 

[smah]

FWIW, Dan Kaminsky has a checking tool on his blog.

http://www.doxpara.com/

 

[MasterRacker]

There's quite a bit on this in Bruce Schneier's blog and the related discussion:

http://www.schneier.com/blog/archives/2008/07/the_dns_vulnera.html#comments

_____
Jeff
[small][purple]It's never too early to begin preparing for [/purple]International Talk Like a Pirate Day
"The software I buy sucks, The software I write sucks. It's time to give up and have a beer..." - Me[/small]

 

[chiph]

Thanks for the link, smah. Looks like TimeWarner in my area has applied the patch (ports are random).

Chip H.


____________________________________________________________________
www.chipholland.com

 

[lhuegele]

Please note that the vulnerability has been known for some time. The only thing new is that some researcher was able to exploit it (quite easily) for the first time, and because it is a vulnerability in the DNS protocol itself, the impact hits everyone.

It didn't take long for someone to use the exploit. AT&T was already hit with an exploit.

If you haven't done so, patch patch patch your DNS servers!

 

[stfaprc]

There is no updated rpm for RedHat Enterprise 5 ?
Is RedHat preventing people from publishing rpm's for RHE5 ?

If one for whatever reason can not update the BIND, you can work around the problem by using the "forward only;" option in the named.conf file and then having a good forwarder listed (check out OpenDNS). This has the side effect of slowing down lookups a bit (anyone know how to have the forward only option in effect for certain zones?)