Ten Percent of DNS Servers Still Vulnerable

maotx writes "Even with the uproar caused by the recent DNS attacks, a recent study shows that roughly 10% of 2.5 million DNS servers show that they are still vulnerable to DNS cache poisoning. To put that a little bit more in perspective, of that 10% discovered, 230,000 were identified as potentially vulnerable, 60,000 are very likely to be open to this specific type of attack, and 13,000 have a cache that can definitely be poisoned." From the article: "The use of DNS cache poisoning to steal personal information from people by sending them to spoofed sites is a relatively new threat. Some security companies have called this technique pharming."

Re:Admins - Take some initiative!

[Kainaw]

Why is it that the Admins can't take it upon themselves to keep their software updated with the latest patches?

You are assuming the fix is a patch. I get vulnerability reports for my servers every week. The issues are never patches because I check for new patches every day. I get vulnerabilities that have no patch of any kind, yet I'm expected to somehow rewrite all of the software on the computer to fix the vulnerability. If I could do that, I wouldn't be working here. I assume that I am in the same position as most admins, I have to wait for the patches to come out and hope nothing bad happens while I'm waiting.

Not Suprising

[cmdrTacyo]

This is not suprising at all especially considering the history of DNS and it's mainframe components. They will always be vunerable, especially for people who do not have the proper PPS setup. I wouldn't be suprised if it's more then 10%.

It's tacyo YO!

Re:Admins - Take some initiative!

[cybersaga]

Well, the Admins cannot be blamed entirely in the Cisco case. Cisco was blamed for not pushing the importance of that patch.

While, in a perfect world, admins should immediately be on top of every new patch, if I noticed a patch that I thought was just a couple of minor bug fixes, it would go on the end of the "whenever I have time" list.

What about DNS Cache Snooping?

[kossak]

DNS Cache Spoofing is not the only nasty trick available to DNS hackers; There is a (still) relatively unknown vulnerability afecting the vast majority of nameservers today, and one that is not easily resolved by patches alone.

Check out my paper about this, its called DNS Cache Snooping [sidestep.pt], and allows for a bunch of interesting tricks. It afects most of DNS Server/Cache combination implementations and is triggered by an extremely common misconfiguration, one that allows for the whole of the internet to use a given DNS server as their primary DNS server.

Luis Grangeia

Email redirection

[Deanalator]

DNS cache poisoning doesnt stop at tricking people out of their money. At defcon Kaminsky also showed how it can easily be used to do things like email misdirection, which I think is much more of a big deal.

Re:How can I check my own DNS configuration for th

[Malor]

I'm confused about this one too. This is what I THINK is going on with this exploit. Hopefully, someone who ACTUALLY knows will correct my mistakes. :)

One of the possible ways to set up a DNS server is as a 'forwarder'. This means that it doesn't do lookups itself, but rather passes all DNS requests to another machine, gets replies, and then sends replies to the clients. One reason you might do this would be to distribute DNS load in a big ISP; you have a few machines that do the actual outbound DNS determination, and then the cache ripples back to the servers that are actually talking directly to the clients. DNS is fairly low-load, relatively speaking... this architecture would date from when everyone was deploying 50Mhz machines as servers. I'll call the local BINDs 'caching' servers, and the one doing the actual lookups on the internet the 'point' server.

So in and of itself, this architecture isn't a problem. But one of the features of the DNS protocol is that any server can send back more data than what was actually asked for, even data that is totally unrelated to the main query. Caching BIND servers by default trust their point server. And, when functioning as a point forwarder, BIND4 and BIND8 apparently just pass along queries they receive without checking them. The point BIND assumes that the caching BINDs are checking, while the caching BINDs assume the point BIND is checking, and the packet never gets checked for sanity at all.

So Joe Hacker snoops around... he tries to find DNS servers on your network. Once he finds one, he queries it for a name in a domain he controls. (or he initiates a connection to a webserver on the same machine, which may cause the same DNS lookup). He watches for the request to his DNS server coming from a DIFFERENT machine. That often indicates a forwarder configuration.

So he waits for his cached info to expire, and does it again... except this time, his reply packet includes extra information, "Oh, by the way, www.microsoft.com is on joes.evil.server.here." If BIND4 or BIND8 is the functioning as the master lookup in a forward configuration, it just passes along the packets it receives. And when BIND is in a SLAVE configuration, it just trusts what it gets from the forwarder. So suddenly, your whole network is connecting to joes.evil.server.here instead of www.microsoft.com. And if it doesn't work, oh well, next DNS server... this is a very low-profile attack. You have to really be LOOKING for it to be able to see it.

Apparently, the workarounds are A) don't use a forwarder configuration. There's no real need for this anymore, even a cheap 1ghz machine with a gig or so of ram will serve tens of thousands of clients. B) if you MUST use a forwarder, use BIND9 (or, presumably, DJBDNS) as your 'point' machine. BIND9 does sanity checking when it's on point.

Hopefully I got this right. I haven't been paying much attention to this before, because I (rightly) didn't think it affected me. If I'm wrong, PLEASE correct me, I hate to spread misinformation.

Hardly New

[DynaSoar]

We were fighting people doing this 10 years ago. Some of the second-gen (meaning they used at least some technology rather than outright and direct use as is) usenet spammers and flooders and email spammers were doing it. The new uses to which this is being put are news, but DNS poisoning is not. IIRC, the icq.net servers were so compromised after having been bought out by AOL and put to new use.

I'm betting there's still a problem with admins that don't want it fixed, because they have given permission, or worse, for their servers to be used thus with some plausible deniability. Arranging this was the origin of the second-gen spammers.

Re:Simple solution...

[Blkdeath]

Run your own DNS server.

Sure. But if you use forwarders who run BIND4/BIND8 you've still got the same problem. If you're connecting directly to the root servers you're contributing to their unneccesary overload and bypassing the heirarchal nature of the DNS system.

Re:DJBDNS -- rocks

[demon]

If you think that DJBDNS is as good as it gets, you really need to check out http://www.powerdns.com/ [powerdns.com]. We switched to it at work (I pushed it, really), and I wrote a nice custom web-based frontend so our customers can manage their DNS domains independently - they can even create new ones as necessary. It's taken DNS out of the "necessary evil" realm, and brought it into a realm of being a "useful service". I recommend it heartily.

(No, I'm not a developer or otherwise affiliated with the project - just a very satisfied user.)

The internet license

[erroneus]

I think there should be an internet user license program. I know it smells like some way of identifying people and all that, but it doesn't have to be any more than a driver's license does at present.

I'm thinking of something along the lines of a radio operator's license with different levels and qualifications and all that. Then people who are said to be administrators of web hosts and stuff like that would be required to posess a certain level of knowledge (and potentially a certain level of pay?) and ability. If it is shown that they do not demonstrate the proficiency required for some reason, then their license should be revoked or downgraded.

Furthermore, certain levels of internet "safety" and "security" ratings should be given to all software, firmware and hardware products that run on the public internet. The consumers can be better aware of the quality of the products they use on the internet. (Examples might include a rating for MSIE having a lower security rating than Firefox because of that whole ActiveX thing... or a Linksys firewall/router giving the users behind it a certain rating of security over a Windows box connected directly to the public internet.)

Not only would we be able to leverage these sorts of licenses and ratings to have a better and safer internet, but we would be able to have a more conscious set of consumers who just might be able to look at the label to determine that product A is better than product B. They will no longer need to get an education in how the internet works just to get their home computers on the net... and we'll be less likely to deal with all those spambots and zombies out there as well.