itwbennett writes "The percentage of devices on the Internet that are configured to accept DNS queries from anywhere — what networking experts call an 'open recursive' or 'open resolver' system — has jumped from around 50 percent in 2007 to nearly 80 percent this year, according to research sponsored by DNS appliance company Infoblox. As more consumers demand broadband Internet, service providers are rolling out modems configured this way to their customers, said Cricket Liu, vice president of architecture with Infoblox. Georgia Tech researcher David Dagon agreed that open recursive systems are on the rise, in part because of 'the increase in home network appliances that allow multiple computers on the Internet. ... Almost all ISPs distribute a home DSL/cable device. Many of the devices have built-in DNS servers. These can sometimes ship in "open by default" states.' What's worse, says Dagon, is that many of these devices do not include patches for a widely publicized DNS flaw discovered by researcher Dan Kaminsky last year."
Why would a cable/adsl modem have an open recursive DNS server? There's not a single reason for that - either use your ISP's autodefined DNS servers, change them to something else or set up your own.
Devices like this should only accept DNS requests from the local network (not from the Internet) and should, unless explicitly configured to perform recursive queries, forward them to the ISP's cache.
Why would a cable/adsl modem have an open recursive DNS server? There's not a single reason for that - either use your ISP's autodefined DNS servers, change them to something else or set up your own.
They don't. What the article is trying to say is that many ISP's are now distributing routers either stand-alone or as a modem/router combo unit. Which are almost always set to the ISP's DNS servers and not just hanging wide open as the article is claiming. Hell, most of these don't have the capability to do more than support either a hardcoded DNS number, or auto-learn it from the cable company's CMTS. I have never seen one that will just take updates from 3rd party DNS, although there is a possiblity if t
"Why would a cable/adsl modem have an open recursive DNS server?"
Why not? In fact, why any DNS over there shouldn't be opened to recursive searchs? I know why I don't want an opened resolver on my facilities and I know why buggy software shouldn't be opened to the Internet, but that is not what I'm asking.
Actually most routers don't have a fully recursive server - they have a "proxy" (or "forwarder").
See my RFC 5625 [ietf.org] for more details, and some explanation for why the router even has this feature. The short answer is that it's so that the router can give a consistent DHCP OFFER before it knows what the upstream DNS servers are. See also slides I presented at the IETF DNSOP working group last week: http://tools.ietf.org/agenda/76/slides/dnsop-5.ppt [ietf.org]
If the proxy is open on the WAN port then it'll forward all q
Very very much the same. Of course, I can't customize the server on the box that's set up for me as easily as I can customize my own DNS server - but the results are about the same.
GP should be aware that a variety of ills with internet connectivity are cured by having your own server - starting with the serious lag experienced when the ISP's server is screwed up somehow. I can send DNS queries halfway around the world, and get a response, faster than I can get answers from my local ISP's DNS server. I'v
Very very much the same. Of course, I can't customize the server on the box that's set up for me as easily as I can customize my own DNS server - but the results are about the same.
Rubbish. Customisation aside, the open relay on the router is accessible on the outside, whereas one you set up on the inside has to have the ports forwarded through the NAT device on your average home LAN.
Far from the same. There is no need for a home router to be a DNS server to the outside, at most a repeater to the LAN from the ISP's DHCP assigned addys or for a customer with a bit more savvy, the IPs for OpenDNS.
"Well, setting up your own is the same as using the one that's set up for you in the box, wouldn't you say?"
There is the GP's question that I responded to. In fact, the DNS server in my router is no different than the DNS server on my gateway machine - except for configuration. The major reason I disabled the server on the router, was so that I could more easily update the server, and so that I could more easily configure it.
If I saw a reason, I could configure my firewall to allow queries to come in from
1) If there is a flaw in the software, i can tell you DNS server that I slashdot is at 80.65.228.129 or that your bank resolves to my MITM attack site. 2) I can use up all of your routers resources and then you can't lookup any sites yourself
There's also a DDoS possibility, since the remote computer can send a 50 byte message that results in the DNS server getting 4 kilobytes of data back to query it. DDoS'r does many of those and your network is filled with that crap.
I don't understand. Are you saying you can hijack my DSL modem and make it point to your website, instead of my bank website? Does this flaw also affect traditional 33k or 56k dialup modems? Would swapping-out the hijacked modem for a new one eliminate this "hole"?
Another semi-related question:
If I swap my current DSL modem with the spare modem in my drawer, would that change my IP address?
Real dialup modems don't do anything nearly as smart as DNS.
DSL "Modems" are really full-blown routers, and generally have NAT routing setup, and DNS and DHCP servers. So yes, they can be vulnerable to DNS cache poisoning, and then you'll get some Phisher-pholk's server instead of your bank's.
Like an open website -- OMG everyone can access it.
This is more like an open website running on IIS 4.0 because it's what it's built into the server.
Only these devices do not auto-update - funny thing considering that their function requires being connected to the Internet. The only problem would be prompting for authorization.
I'm not sure how the DNS flaw works, but I just thought of something (feel free to mod me down if this is stupid)
If you were to target someone specifically that was using a router that supported auto-update, but it didn't update itself with a fix for the vulnerability yet, couldn't you possibly use the DNS flaw to fool it into getting the update from one of your servers?
Meaning, you could get the router to do pretty much anything you want, and a router can do a lot of bad stuff.
Oh, oh, by "auto-update" I meant software updates. (Kids, that's what happens when you post without having had enough sleep).
My concern is that the software driving modems and routers is rarely updated, but they're standing between you and the wide, wild Internet. Sure they could check for new versions, but how do they prompt you for permission? (I think technically minded consumers would be a bit miffed if the manufacturer pushed patches behind your back)
No, more like an open proxy. This isn't about authoritative DNS servers responding to everyone (they do; that's what they're for) it's about DNS caches responding to queries from everyone (not just those on the local net), which wouldn't be so bad except that many of them are insecure.
Yeah, but these devices are designed to name serve on the intranet, not the internet. Mine came with the default to ignore all traffic coming from the outside world.
No, they're not, according to the summary: "devices on the Internet that are configured to accept DNS queries from anywhere", "Almost all ISPs distribute a home DSL/cable device. Many of the devices have built-in DNS servers. These can sometimes ship in "open by default" states.'
Just because yours is closed by default, doesn't mean all are.
OK, you're right, 1 of 1 is not enough to make an assumption. But of the 5 I've bought over the years from 3 different vendors, all 5 were shipped configured to accept DNS request from the intranet but block all requests of any type from the internet.
What's not to love about RSS feeds? It's like the Web for e-mail!:-) No blockage at the Web site proper, though... I clicked through to it from the feed immediately after, and not even so much as a pregnant pause.
They weren't before my time, but I never laid a finger on anything branded Commodore, so the humor you see in it just confuses me! Maybe I should change my account to SinclairQL_love?
"Guru Meditation" is the Amiga's version of a kernal panic, and dates back to 1985. That's why I thought you making some in-joke about that machine (or else the website owner was). The screen looks like this: http://en.wikipedia.org/wiki/Guru_Meditation [wikipedia.org]
Nice funny story about the origins of it. I'm sure the homage must make a few old Commodore coders feel warm and fuzzy. Hey, did you edit the Trivia section to include the mention of the Varnish homage, or was it already there? Ah, wait, checking History... nope, it's actually been there for a while.
You're surfing the net from a Commodore Amiga? Isn't that 400 megahertz PPC processor kinda slow?;-)
That message got removed after Kickstart 1.3, when an Amiga had a 8MHz MC68000.
Not that it matters -- the Amiga compensated for slow hardware with fast, well-written software.
Cache poisoning is something you do by returning an answer to a DNS server that's doing a lookup on your behalf. Lets say I was able to sniff your traffic and see that you go to your Bank's web site based on the last DNS query your router did on your behalf. What I can then do is bombard your router back with answers for your bank's web site being a different IP address so that when your router finally does the DNS lookup again at some point, the potential is there for it to accept MY answer for their sit
Lets say I was able to sniff your traffic and see that you go to your Bank's web site based on the last DNS query your router did on your behalf
What makes it worse, is you don't need such a precision attack. You could have a botnet randomly bombard everyone with "somebankname.com" is 1.2.3.4, and eventually you'd get a hit. Hit rate too slow, get more bots...
The problem I have seen is a mixture of ISPs which take years to react to anything and suppliers of these devices not taking responsibility and simply blaming it on the ISP. Because of this I would appreciate a role call of ISPs and hardware involved in this, so that we can either avoid them or get them to fix the problem.
You could not be any more wrong on this with that statement. The ISP is not the issue and the hardware is not the issue.
If you are to build a recursive DNS server and have it do recursive queries on the internet completely bypassing your Router and ISP's DNS setup - you are still vulnerable.
Several online tools were available to test for vulnerabilities on individual PCs back when Kaminsky discovered the sad state of DNS security. Is there a similar test for available for cable modems? How about a list of susceptible devices? I'd rather not put blind faith in my ISP to keep me out of harms way.
Ok, they list 2 ISP's as the leading "culprits".. in Spain, and France I guess.. then they go on to say something about DSL modems supplied with DNS servers ???.. what's that about ? really ? a DNS server on the modem ?.. a hard coded link to a DNS server maybe.. If your going to report a problem, then report a problem.. like the names of the manufacturers, models, and ISP's and give people something to look out for.
DNS cache proxies are common on cuonsumer routers.
Of course almost universally these are set to block all requests from outside, so can't really be accused of causing a jump of open resolvers from 50% to 80% on their own.
Also any network running authoritative DNS will have an open DNS.. that's unavoidable - although you normally rate limit it with iptables to stop magnification attacks.
Is it just, me, or does anyone else have an issue with the name "David Dagon"?
I keep imagining the interview taking place with him sitting on a giant basalt throne
off the New England coast, at low tide...
No, it's not just you. I see Dagon and I think Shadow Over Innsmouth, or Dagon (2001) every time. It would be cool to have a name like that.. sort of like being Fred Cthulhu, or Samson Yog-sothoth.
For starters (Score:3, Insightful)
Why would a cable/adsl modem have an open recursive DNS server? There's not a single reason for that - either use your ISP's autodefined DNS servers, change them to something else or set up your own.
Reply to This
Re: (Score:2, Informative)
One reason is to cut the # of queries coming into the ISP's servers. The modem can be a local cache.
Re:For starters (Score:5, Insightful)
Reply to This
Parent
Re: (Score:1, Informative)
Why would a cable/adsl modem have an open recursive DNS server? There's not a single reason for that - either use your ISP's autodefined DNS servers, change them to something else or set up your own.
They don't. What the article is trying to say is that many ISP's are now distributing routers either stand-alone or as a modem/router combo unit. Which are almost always set to the ISP's DNS servers and not just hanging wide open as the article is claiming. Hell, most of these don't have the capability to do more than support either a hardcoded DNS number, or auto-learn it from the cable company's CMTS. I have never seen one that will just take updates from 3rd party DNS, although there is a possiblity if t
Re: (Score:2)
"Why would a cable/adsl modem have an open recursive DNS server?"
Why not? In fact, why any DNS over there shouldn't be opened to recursive searchs? I know why I don't want an opened resolver on my facilities and I know why buggy software shouldn't be opened to the Internet, but that is not what I'm asking.
Re: (Score:1)
Actually most routers don't have a fully recursive server - they have a "proxy" (or "forwarder").
See my RFC 5625 [ietf.org] for more details, and some explanation for why the router even has this feature. The short answer is that it's so that the router can give a consistent DHCP OFFER before it knows what the upstream DNS servers are. See also slides I presented at the IETF DNSOP working group last week: http://tools.ietf.org/agenda/76/slides/dnsop-5.ppt [ietf.org]
If the proxy is open on the WAN port then it'll forward all q
Re: (Score:2)
Very very much the same. Of course, I can't customize the server on the box that's set up for me as easily as I can customize my own DNS server - but the results are about the same.
GP should be aware that a variety of ills with internet connectivity are cured by having your own server - starting with the serious lag experienced when the ISP's server is screwed up somehow. I can send DNS queries halfway around the world, and get a response, faster than I can get answers from my local ISP's DNS server. I'v
Re: (Score:2)
Very very much the same. Of course, I can't customize the server on the box that's set up for me as easily as I can customize my own DNS server - but the results are about the same.
Rubbish. Customisation aside, the open relay on the router is accessible on the outside, whereas one you set up on the inside has to have the ports forwarded through the NAT device on your average home LAN.
Re: (Score:2)
Re: (Score:2)
"Well, setting up your own is the same as using the one that's set up for you in the box, wouldn't you say?"
There is the GP's question that I responded to. In fact, the DNS server in my router is no different than the DNS server on my gateway machine - except for configuration. The major reason I disabled the server on the router, was so that I could more easily update the server, and so that I could more easily configure it.
If I saw a reason, I could configure my firewall to allow queries to come in from
is this a problem (Score:3, Insightful)
Open DNS servers don't seem so bad to me.
Like an open website -- OMG everyone can access it.
Reply to This
Re:is this a problem (Score:5, Informative)
1) If there is a flaw in the software, i can tell you DNS server that I slashdot is at 80.65.228.129 or that your bank resolves to my MITM attack site.
2) I can use up all of your routers resources and then you can't lookup any sites yourself
Reply to This
Parent
Re: (Score:2)
There's also a DDoS possibility, since the remote computer can send a 50 byte message that results in the DNS server getting 4 kilobytes of data back to query it. DDoS'r does many of those and your network is filled with that crap.
Re: (Score:2)
I don't understand. Are you saying you can hijack my DSL modem and make it point to your website, instead of my bank website? Does this flaw also affect traditional 33k or 56k dialup modems? Would swapping-out the hijacked modem for a new one eliminate this "hole"?
Another semi-related question:
If I swap my current DSL modem with the spare modem in my drawer, would that change my IP address?
Re: (Score:2)
Real dialup modems don't do anything nearly as smart as DNS.
DSL "Modems" are really full-blown routers, and generally have NAT routing setup, and DNS and DHCP servers. So yes, they can be vulnerable to DNS cache poisoning, and then you'll get some Phisher-pholk's server instead of your bank's.
Re: (Score:2)
Re: (Score:2)
Like an open website -- OMG everyone can access it.
This is more like an open website running on IIS 4.0 because it's what it's built into the server.
Only these devices do not auto-update - funny thing considering that their function requires being connected to the Internet. The only problem would be prompting for authorization.
Re: (Score:2, Insightful)
Re: (Score:2)
Oh, oh, by "auto-update" I meant software updates. (Kids, that's what happens when you post without having had enough sleep).
My concern is that the software driving modems and routers is rarely updated, but they're standing between you and the wide, wild Internet. Sure they could check for new versions, but how do they prompt you for permission? (I think technically minded consumers would be a bit miffed if the manufacturer pushed patches behind your back)
Re: (Score:2)
Normal for security (Score:1)
Trying to make something from nothing. (Score:3, Insightful)
Reply to This
Re:Trying to make something from nothing. (Score:4, Insightful)
No, they're not, according to the summary: "devices on the Internet that are configured to accept DNS queries from anywhere", "Almost all ISPs distribute a home DSL/cable device. Many of the devices have built-in DNS servers. These can sometimes ship in "open by default" states.'
Just because yours is closed by default, doesn't mean all are.
Reply to This
Parent
Re: (Score:3, Interesting)
Re: (Score:2)
Just check that the manufacturer hasn't been stupid enough to ship it with a internet-accessible backdoor built in.
Example: http://hardware.slashdot.org/hardware/04/06/05/1250244.shtml [slashdot.org]
Is that why Slashdot was down? (Score:2)
Re: (Score:2)
Does anyone else thinks it's funny that this story was posted while /. was showing "guru meditation" errors?
Re: (Score:2)
Does anyone else thinks it's funny that this story was posted while /. was showing "guru meditation" errors?
No
And in a prophetic twist of fate... (Score:2)
... the RSS feed for this article fails to load!
Re: (Score:2)
You kids and your RSS feeds... That was on the whole site.
Re: (Score:2)
What's not to love about RSS feeds? It's like the Web for e-mail! :-) No blockage at the Web site proper, though... I clicked through to it from the feed immediately after, and not even so much as a pregnant pause.
Re: (Score:2)
I think there must have been a crack in the Varnish.
Re: (Score:2)
What's not to love about RSS feeds?
Unlike the normal Slashdot front page, it is not possible to block stories by kdawson from the RSS feeds (or, wasn't last time I tried).
Re: (Score:2)
Yahoo Pipes works acceptably for this task.
Example: http://pipes.yahoo.com/pipes/pipe.info?_id=VsavzdaC3RGH9sTVrLQIDg [yahoo.com]
Re: (Score:2)
>>>Guru Meditation:
You're surfing the net from a Commodore Amiga? Isn't that 400 megahertz PPC processor kinda slow? ;-)
Re: (Score:2)
They weren't before my time, but I never laid a finger on anything branded Commodore, so the humor you see in it just confuses me! Maybe I should change my account to SinclairQL_love?
Re: (Score:2)
"Guru Meditation" is the Amiga's version of a kernal panic, and dates back to 1985. That's why I thought you making some in-joke about that machine (or else the website owner was). The screen looks like this:
http://en.wikipedia.org/wiki/Guru_Meditation [wikipedia.org]
Re: (Score:2)
Nice funny story about the origins of it. I'm sure the homage must make a few old Commodore coders feel warm and fuzzy. Hey, did you edit the Trivia section to include the mention of the Varnish homage, or was it already there? Ah, wait, checking History... nope, it's actually been there for a while.
Re: (Score:1)
>>>Guru Meditation:
You're surfing the net from a Commodore Amiga? Isn't that 400 megahertz PPC processor kinda slow? ;-)
God gods, that would be blazing fast. IIRC, my Amiga had a 7 MHz 68000.
Re: (Score:2)
That message got removed after Kickstart 1.3, when an Amiga had a 8MHz MC68000. Not that it matters -- the Amiga compensated for slow hardware with fast, well-written software.
No-one is truly safe... (Score:1, Interesting)
Cache poisoning is something you do by returning an answer to a DNS server that's doing a lookup on your behalf. Lets say I was able to sniff your traffic and see that you go to your Bank's web site based on the last DNS query your router did on your behalf. What I can then do is bombard your router back with answers for your bank's web site being a different IP address so that when your router finally does the DNS lookup again at some point, the potential is there for it to accept MY answer for their sit
Re: (Score:2)
Lets say I was able to sniff your traffic and see that you go to your Bank's web site based on the last DNS query your router did on your behalf
What makes it worse, is you don't need such a precision attack. You could have a botnet randomly bombard everyone with "somebankname.com" is 1.2.3.4, and eventually you'd get a hit. Hit rate too slow, get more bots...
Name and Shame (Score:2)
The problem I have seen is a mixture of ISPs which take years to react to anything and suppliers of these devices not taking responsibility and simply blaming it on the ISP. Because of this I would appreciate a role call of ISPs and hardware involved in this, so that we can either avoid them or get them to fix the problem.
Re: (Score:1)
How does one test for this vulnerability? (Score:2, Interesting)
Re: (Score:1)
Source ? (Score:2)
Re: (Score:2)
DNS cache proxies are common on cuonsumer routers.
Of course almost universally these are set to block all requests from outside, so can't really be accused of causing a jump of open resolvers from 50% to 80% on their own.
Also any network running authoritative DNS will have an open DNS.. that's unavoidable - although you normally rate limit it with iptables to stop magnification attacks.
Dagon (Score:2)
Re: (Score:2)
No, it's not just you. I see Dagon and I think Shadow Over Innsmouth, or Dagon (2001) every time. It would be cool to have a name like that.. sort of like being Fred Cthulhu, or Samson Yog-sothoth.