Paul Vixie Responds To DNS Hole Skeptics 147
syncro writes "The recent massive, multi-vendor DNS patch advisory related to DNS cache poisoning vulnerability, discovered by Dan Kaminsky, has made headline news. However, the secretive preparation prior to the July 8th announcement and hype around a promised full disclosure of the flaw by Dan on August 7 at the Black Hat conference has generated a fair amount of backlash and skepticism among hackers and the security research community. In a post on CircleID, Paul Vixie offers his usual straightforward response to these allegations. The conclusion: 'Please do the following. First, take the advisory seriously — we're not just a bunch of n00b alarmists, if we tell you your DNS house is on fire, and we hand you a fire hose, take it. Second, take Secure DNS seriously, even though there are intractable problems in its business and governance model — deploy it locally and push on your vendors for the tools and services you need. Third, stop complaining, we've all got a lot of work to do by August 7 and it's a little silly to spend any time arguing when we need to be patching.'"
I'm not worried (Score:5, Funny)
Re:I'm not worried (Score:5, Interesting)
Re:I'm not worried (Score:5, Funny)
Why is that hard? Still works with IP-addresses. The only thing you need to do is to supply the Host-field as per HTTP/1.1.
Re:I'm not worried (Score:5, Funny)
That's why 'smart' people use /etc/hosts. That solves the problem of remembering and of the HTTP-host-header.
Re: (Score:2)
$ telnet 209.112.170.79 80
Trying 209.112.170.79...
Connected to 209.112.170.79.
Escape character is '^]'.
GET http://www.element-o-p.com/ [element-o-p.com]
<...snip...>
$
Works just fine.
EDIT: Ignore the "[element-o-p.com]" in the snippet above --
Re: (Score:2)
EDIT: Ignore the "[element-o-p.com]" in the snippet above -- /. is editing my post to make sure the URL in the GET line is unobfuscated -- even though it's not supposed to be a link (grrrr....)
You Preview? Welcome to the 1%.
Re: (Score:2)
Re: (Score:1, Insightful)
Re: (Score:2)
Re: (Score:3, Informative)
216.34.181.48
Re:I'm not worried (Score:4, Insightful)
Re:I'm not worried (Score:5, Funny)
Hey!
I am an unpatched DNS server, you insensitive clod!
Not so simple. (Score:2, Interesting)
Only if you have a method for authenticating the other side of the phone conversation.
Re: (Score:2)
And where you got the IP-address for the whois (hint it uses several hosts for different TLD/regions).
Re: (Score:3, Funny)
Only if you have a method for authenticating the other side of the phone conversation.
Visit the website and get the phone number, of course!
Re: (Score:2)
Gentlemen, We are reading a post from Chuck Norris [ebay.com]. Of course he is a "niceone", anyone willing to disagree?
Re:Chuck Norris doesn't use DNS (Score:2)
Chuck Norris doesn't type in IP addresses by hand. He just whistles the modem tones.
But doesn't he use broadband instead of dialup? When Chuck Norris whistles for a modem, it does what he wants real fast.
Re:I'm not worried (Score:5, Funny)
I just remember the IP addresses and type them in myself. How hard is that?
That's all well and dandy until banner ads start flashing subliminal messages of unauthorized zone updates to you.
Re:I'm not worried (Score:4, Funny)
Re: (Score:2, Funny)
Re: (Score:2)
I'm wondering how feasible it would be to provide some added DNS protection at the client end. Most of the computers and consumer routers I've dealt with took entries for three DNS servers (or got them by DHCP). I'm not sure whether all three get queried and the first result used, or the first queried, then the second if there's no response from the first?
Behavior probably varies by OS as this short tale illustrates a bug in Mac OS 9: (back on topic after this...)
Years ago I encountered a problem where s
stability (Score:1, Interesting)
Re: (Score:2, Funny)
I heard that this "security fix" is the addition of support for the Evil Bit [faqs.org].
The back-biting is shameful (Score:5, Insightful)
Geez, if you want responsible disclosure, you have to trust the experts when they say "it's new and it's bad"
Re: (Score:1)
Geez, if you want responsible disclosure, you have to trust the experts when they say "it's new and it's bad">
And that's one reason why I keep saying to hell with 'responsible disclosure'. But the more I say that the more people look at me like I'm some kind of space alien who just landed in a flying saucer.
Maybe then we wouldn't have software vendors taking weeks, months or years to patch remotely exploitable bugs (yes, I'm looking at YOU, Microsoft)
Re:The back-biting is shameful (Score:5, Insightful)
Sure you would; and the blame for any damage would be blamed on who made the disclosure.
There is nothing wrong with how this was/is being handled. Limited disclosure with a solid and "reasonable" deadline is a perfectly fine way to balance the myriad issues with security threats.
Re: (Score:3, Insightful)
Maybe then we wouldn't have software vendors taking weeks, months or years to patch remotely exploitable bugs (yes, I'm looking at YOU, Microsoft)
Sure you would; and the blame for any damage would be blamed on who made the disclosure.
There is nothing wrong with how this was/is being handled. Limited disclosure with a solid and "reasonable" deadline is a perfectly fine way to balance the myriad issues with security threats.
Except Microsoft doesn't handle things this way. If this had been only a Windows issue we would have never heard about it. The fact that Open Source is vulnerable as well means that we will eventually know what the problems were and be able to look to see that it was fixed in the Open Source versions.
Re: (Score:3, Insightful)
This has nothing to do with any specific vendor or open source.
This issue is about how and when independent researchers disclose a vulnerability they find.
Re: (Score:2)
The fact that Open Source is vulnerable as well means that we will eventually know what the problems were and be able to look to see that it was fixed in the Open Source versions.
Anyone with a serious interest in finding out the details of the flaw doesn't need the source code to figure it out, or to see what changes were made to address it. All they need are the binaries and a disassembler.
Re:The back-biting is shameful (Score:4, Interesting)
Not in this case, in this case seeing the source changes doesn't really help, it's more like a protocol-design-flaw. And the bugfix is just a workaround.
Re: (Score:2)
Maybe then we wouldn't have software vendors taking weeks, months or years to patch remotely exploitable bugs (yes, I'm looking at YOU, Microsoft)
Somebody benefits from the status quo.
Re:The back-biting is shameful (Score:5, Insightful)
So, you figure eighty vendors coordinated a simultaneous patch for some issue that is not really a big deal, probably just some guys vying for attention?
It's all a liberal plot (Score:5, Funny)
DNS cache poisoning is a myth cooked up by the liberal media and DNS scientists to implement their anti capitalist agenda.
And if it isn't a myth, then it certainly isn't man made, it's a natural phenomenon and there's nothing we can do about it.
Re:ATTENTION MODERATORS: MOD PARENT DOWN (Score:4, Funny)
Uh oh, somebody call the whaaaaambulance, we're going to need to perform a humor transplant here!
Re:ATTENTION MODERATORS: MOD PARENT DOWN (Score:4, Funny)
User ID 1352 trollin' it old skool!
Re: (Score:3, Insightful)
Geez, if you want responsible disclosure, you have to trust the experts when they say "it's new and it's bad"
I don't want "irresponsible disclosure". I don't want to be vulnerable, while major corporations get to do marketing damage control. They had a hole. Ok, everyone makes mistakes. They found the hole. Great, then we can do something about it. Or not, because they kept quiet about it while secretly writing the fixes. They kept quiet about it for long enough that even Microsoft had fixes ready.
Meanwhile
Re: (Score:3, Interesting)
OK... How bad? "Real bad" doesn't really help me at all. To make an informed decision I need to know four things:
#1 is making my firewall basically wide open to UDP. #2 is cache poisoning. Without knowing more about Kaminsky's attack, I can't really make any useful guesses about #3 and #4.
For now I've all
Re:The back-biting is shameful (Score:5, Funny)
If there's one thing that everyone should have learned by now, if someone says "trust me", you should be skeptical.
No, you're off message. They need to click continue, because the screen has gone all dark and they can't get back to their web browser.
Re:The back-biting is shameful (Score:5, Interesting)
That same information that allows you to make an "informed decision", as you so blithely put it, puts the integrity of the entire infrastructure and, more to the point, the information security of a whole lof of people at tremendous risk. Dammit, that's the whole point of the OP's observation and why people argue about disclosure in the first place.
Re: (Score:2, Insightful)
That same information ... puts the integrity of the entire infrastructure and, more to the point, the information security of a whole lof of people at tremendous risk.
Extremist talk and dire predictions are great, but where have they gotten us in the past? Vixie claims that "Everything we thought we knew was wrong", but at the same time, we know that there are DNS systems and services that did not have this vulnerability, so obviously some people had already given this type of issue some thought.
I'm not sa
Re: (Score:2)
What does any of that have to do with the process or are you implying that disclosure policy is nothing to be concerned about?
Re:The back-biting is shameful (Score:4, Interesting)
Vixie claims that "Everything we thought we knew was wrong", but at the same time, we know that there are DNS systems and services that did not have this vulnerability, so obviously some people had already given this type of issue some thought.
No. Not all dns systems/services may be vulnerable, but this might not be because of forethought but rather a different design paradigm (buzzword alert, I know). They might just have been designed differently for other reasons, and non-vulnerability to this exact flaw may be a side-effect.
Re:The back-biting is shameful (Score:4, Informative)
It was because of forethought of one man, DJB (Bernstein).
Re: (Score:2)
Haven't enough people been hurt by blindly trusting "experts"?
Do tell us what you think the ration of people saved to people hurt by blindly trusting experts is.
Re: (Score:2)
Depends on whether their expertise extends beyond the word "expert" in front of their names.
The problem is that many people are introduced as experts that aren't really experts and don't have the background that the term implies. The modern media is great for implying expertise or authority on a given topic without there being any basis for it.
Example: Why interview Pat Robertson on economic issues? People who don't know who Pat Robertson is will assume he's an authority on the topic at hand. Otherwise, why
A grown-up attitude from Vixie (Score:1, Offtopic)
If he posted that here, it would get modded Flamebait or Troll.
Doctors make the worst patients (Score:5, Insightful)
Knowing how to run a system is not purely technical knowledge, it's also a measure of professional ability. That means knowing when to take advice, and knowing who to take it from.
Unfortunately, what else is new? (Score:1)
Security expert discovers flaw
Tries to do the right thing and report it responsibly to vendors. Coordinates patch day responsibly.
People ignore it/blow it off/procrastinate and then proceed to throw blame and lawsuits against those who tried to help them in the first place.
They require a license to drive a car on a highway. Sure as hell would thin out the herd to require a license to drive a server on the information superhighway.
Re: (Score:2, Interesting)
Not exactly.
This flaw was well known in 1990. Paul Vixie has been dragging his feet for almost twenty years with crack-potted shit like "additional credibility rules" and extra complexity.
How to fix this bug trivially was well known over ten years ago [cr.yp.to] and still the ISC has been refusing to secure its users because they want to push DNS-SEC- a security system based on a trust hierarchy that doesn't exist, whose implementation has never worked, and will never work because Paul is a fucking idiot who cares mor
Re:Unfortunately, what else is new? (Score:5, Funny)
Your mad ad hominem attack skills have convinced everyone that Paul Vixie is the know nothing douchebag in this conversation. Kudos!
Re:Unfortunately, what else is new? (Score:4, Funny)
Re: (Score:1)
Re: (Score:2)
Randomize the source port. It's in the third paragraph.
Re:Unfortunately, what else is new? (Score:4, Informative)
Randomizing UDP source ports does not solve the problem, it only makes it more difficult to impersonate the responding DNS server. Secure DNS makes this kind of impersonation impossible, or at least allows us to bask in the warm glow of impossible.
The DJB vs BIND thing is an illusion. Whatever everyone agrees is the best implementation should win and I doubt that Paul Vixie or anyone else at ISC thinks differently.
But it has become abundantly clear to me that DJB and his minions (of which I assume you are one) have failed to matter in most ways, not because of your ideas, but because of the brusque, immature manner in which those ideas are submitted for consideration, outside the standards committees which have served the Internet well for 30 years.
Re:Unfortunately, what else is new? (Score:4, Interesting)
Secure DNS makes this kind of impersonation impossible
Mmm, no. It makes this kind of impersonation possible by anyone who can coerce/corrupt/control some part of the chain of trust.
outside the standards committees which have served the Internet well for 30 years.
Actually, on the topic of security and cryptography, I'd say the standards committees have failed the internet pretty badly. The apparent fixation with providing Verisign with revenue streams has gotten in the way of designing acceptable trust systems.
The only result that the fixation with certificates and authorities has gotten us is a situation wherein everyone is becoming their own authority and nobody cares about certificate warnings anymore.
If one wanted to repair the systematic damage by now, the best way would be to simply scrap the CA's out of browsers and anywhere else and just add a way to easily add specific CA's for each new domain/service provider one comes in contact with.
Re: (Score:2)
You're going down the path of DNSSEC, and, while I can't claim to be an expert, evidence suggests that this is a bad plan. DNSSEC started out as "oh, we'll just have the server sign all answers it gives out" (the "SIG+KEY" protocol of old).
Also, Verisign has _never_ shown themselves terribly competent at avoiding impersonation attacks -- they issued another SSL key for microsoft.com, FFS. We're supposed to hand them _more_ keys to the Internet?
Re: (Score:2)
but overall it works.
Actually, I'd say exactly the opposite. SSL is used only on a fraction of the net, and in many cases, for many uses, self-signed certificates are as trustworthy as the CA's. Overall, I'd say that's not working.
Imagine if you had to buy a cert for ssh; we'd still be using telnet...
a lot of the reason it works is because of the money
A lot of the reason it doesn't work is because of the money. The CA's maximize their profit by taking money and _not_ doing any checking. They have no financi
Re: (Score:2)
SSL isn't broken when users can't connect to their "secure servers". It's broken when SSL doesn't mean what the users think it means.
Users think SSL means their transaction/connection/information is safe. It might if CA's checked the information of their customers, and made sure they were responsible with data. But they don't. SSL has always been broken.
Re: (Score:2)
Amazon, Google, eBay, PayPal,
Like I said, a small fraction of sites. Had ssl 'worked' it would be deployed on close to every single site.
When you do a lookup on "example.com" for the first time, how do you check the signature if you don't have the public key?
The first time you connect to a site you have no business trusting it, anymore than the average person trusts people the first time they meet. Transfer the appropriate key then; trust is built over repeat interactions. For the purpose of building trust
Re: (Score:2)
Disclaimer. I'm the author of LDAPDNS [nimh.org].
Tens of thousands of times harder.
Unfortunately, Secure DNS doesn't exist. Nobody's quite sure what it looks like, or how it'll work because the things crytopgraphers is secure nobody wants to do because it makes ugly domain nam
Re: (Score:2)
Referring to your own PDF:
Page 18: There are three competing implementations, all of which have problems.
Page 21: Deployment problems, clients not supporting; breaks access to sites. BIND bugs.
Also,
$ host -t ds se I.NS.se.
Using domain server:
Name: I.NS.se.
Address: 194.146.106.22#53
Aliases:
se has no DS record
means the security chain is already broken.
Finally, just because someone installed DNS-SEC doesn't mean that "Secure DNS" was deployed. If you can't tell the difference between the two, then you won't be
Re: (Score:2)
You'll note I didn't: I called you a very smart man.
However, I also call you a douchebag and an idiot. You and I both know that "Secure DNS" isn't the same thing as DNSSEC- one exists, the other does not. We also know that BIND's credibility rules are stupid.
But most importantly, we also know that a lot of the practical DNS forgery attacks in the past - nearly two decades- could have been mitigated and yet you have led people to believe there is good reason not to stop the
Re: (Score:2)
TSIG, TKEY, and all revisions thus far to DNSSEC don't make DNS secure.
The credibility rules started showing up in 1992. Kashpureff's 1997 attack had nothing to do with it.
No, but discarding the ADDITIONAL section would.
Re: (Score:2)
There is no real fix, other than changing than protocol in a backwards incompatible way. Port randomisation is a workaround and but it will give us some more years.
And that last part is just me guessing.
What is Secure DNS (Score:1)
Re:What is Secure DNS (Score:5, Informative)
"The Domain Name System Security Extensions (DNSSEC) are a suite of IETF specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers):
* Origin authentication of DNS data.
* Data integrity.
* Authenticated denial of existence."
http://en.wikipedia.org/wiki/DNSSEC
Re:What is Secure DNS (Score:4, Interesting)
Unfortunately, as Vixie admits, DNSSEC has intractable problems and is... well, let's be generous and say "pushed too quickly through the standards process". (See http://cr.yp.to./djbdns/forgery.html [cr.yp.to]; in particular, Vixie's observation 'We are still doing basic research on what kind of data model will work for dns security. After three or four times of saying "NOW we've got it, THIS TIME for sure" there's finally some humility in the picture... "wonder if THIS'll work?" ...' [this was _after_ several DNSSEC RFCs were approved and intended to be implemented were shown to be utter crap.])
Encouraging people to use DNSSEC is just about as useful as encouraging people to use HOSTS.TXT. OK, I exaggerate a bit, but it's simply not going to solve the problem, is going to expose zones to arbitrary enumeration (remember, The Internet community discouraged answering AXFR requests from the Internet at large presumably for a reason), and is going to introduce much larger computational demands of DNS servers that implement it.
(Here's a thought: most of this forgery comes from my ability to guess your DNS cache / resolver's query port and request ID. Come IPv6, we could surely add 48+ bits of entropy to the process by having DNS servers listen on a prefix of addresses. Much simpler, if gross.)
Why is Vixie recommending it? (Score:2)
Unfortunately, as Vixie admits, DNSSEC has intractable problems [...]
So... why is Vixie recommending it? It's about as secure as using PGP without the web of trust, or using HTTPS without the PKI.
It would make sense if he didn't admit that there were intractable problems, and then told people to use it. Or if he said that there's really nothing you can do, and that the DNS vendors dropped the ball somethin' fierce by failing to secure the system in the decade since the problem was described.
But what is he e
Re: (Score:3, Insightful)
If I have to guess, it's because Vixie is associated with ISC, who makes BIND, and is hoping that ISC makes more money with the "ZOMG, run DNSSEC or you're all doomed!". Of course, Vixie has never shown any kind of restraint over DNSSEC, and has previously urged adoption of (prior) broken editions of the protocol that somehow passed muster at the IETF despite not living up to their claims.
DJB may be a meanie, but he seems much more technically competent than Vixie. (I offer as evidence, again, the securit
Re: (Score:2, Informative)
Re: (Score:2)
Yes, sorry, my brain had glitched. The ISC is a nonprofit but was (is?) closely associated (http://cr.yp.to/djbdns/blurb/bindmoney.html) with the company I should have named, namely Nominum, the for-profit branch of Paul Vixie's life. I apoligize for the confusion.
Unrelatedly, if you're still worried that your protocols need work, it seems premature to promise that you won't flag-day the protocol again. You might certainly hope that you won't have to, which I admit is an admirable wish. Or is that to sa
Re: (Score:2, Informative)
you can't be serious. i resigned as chairman of nominum's board back in 2002 or so. i have no position there. they stopped working on BIND9 at about that same time. let the record show that i am grateful to nominum's then-shareholders for their significant donation of code and effort to BIND9 9.0.0, which went well beyond what ISC paid them for.
it's an educated bet. the restarts to the Secur
Re: (Score:2)
Please note that a lot of DNS exploits are still possible with DNSSEC, including Kaminsky's Suckets work -- it simply won't solve the DNS problems of the world. Moreover, the "problems" you're trying to solve with DNSSEC (e.g. yourbank.com getting redirected hostilly) can either still happen (oh, whoops, right, not all caches can mandate DNSSEC yet; applications can't tell whether getnodebyname() was done securely or not, and you should damn well be using TLS anyway). Further, DNSSEC has administrative prob
Re: (Score:2)
I was unaware of NSEC3, having only looked at DNSSEC before its publication as an RFC in March. Thank you for bringing it to my attention; I retract my assertions that zone enumaration is a viable objection to DNSSEC.
AFAIK I understand the issues, EDNS having an extended ID field would also have solved, or made dramatically less likley at least, the injection attacks of late with a lot less effort. Am I mistaken in this understanding?
Do you have a pointer towards a design of a getnodebyname() replacement
Re: (Score:1, Informative)
Secure DNS is a protocol which uses cryptographic signatures on DNS records to prevent DNS spoofing and other unauthorized manipulations. It has some problems which are mostly a result of DNS being a UDP protocol, which, for performance reasons, can't have long handshakes or cryptographic calculations on the server side.
Small business setups NOT protected by the patch? (Score:1)
From Paul Vixie's response: "Tom Cross of ISS-XForce correctly pointed out that if your recursive nameserver is behind most forms of NAT/PAT device, the patch won't do you any good since your port numbers will be rewritten on the way out, often using some pretty nonrandom looking substitute port numbers."
Does this mean that a typical small-business setup isn't protected by the patch?
For example, a server which provides recursive DNS and which connects to the Internet by a "cable" modem.
Oops! I meant cable router, not cable modem (Score:1)
Oops! I meant cable router, not cable modem
Re: (Score:1)
Re: (Score:2)
My home router uses NAT. And sometimes I use my own DNS server to serve the home network and give that network a private TLD. Are those sorts of setups impacted now?
Re: (Score:2)
It depends on how the NAT device assigns port numbers to outgoing queries. Apparently the fix for this flaw is to ensure the source port for lookups is truly random; some devices may use very predictable sequences (such as our Cisco ASA at work, mutter mutter).
If you visit Dan Kaminsky's blog [doxpara.com], there's a DNS checker in the right hand panel which allegedly tells you if you need to worry or not. It just looks to see if all your queries for their test domain name came from the same port number.
Re: (Score:3, Interesting)
So, are we all compiling from source all the time? (Score:4, Insightful)
All paranoid theories about this issue sort of ignore the fact that unless you plan to install hundreds (or even thousands) of systems from your own compiled source for years and years to come, all of this discussion is at best academic.
The new distros are going to have the patch.
And really, considering the number of prehistoric vulnerabilities that should have been patched, that this one is finally getting patched is fine.
Yeah, there's a bit of "trust me" factor here with this patch, but a lot of good people are putting their credibility on the line for this patch.
All of this whole FOSS thing entails a lot of trust. I mean, you're really telling me that everyone on here whining about the need to see the source code has read every line of code in every OS they're using? There is a level at which we're all sort of hoping that the guys interested in each of the particular parts of the OS have done a thorough job in their separate efforts.
Re:So, are we all compiling from source all the ti (Score:3, Insightful)
All of this whole FOSS thing entails a lot of trust. I mean, you're really telling me that everyone on here whining about the need to see the source code has read every line of code in every OS they're using?
There's a specific phrase to describe it, but it escapes me at the moment.
Bascially, when you have a crowd of people standing around watching someone get beat up, nobody steps in to help, because everyone assumes someone else will help.
Verifying source code is somewhat like that: someone else will do it. The great thing about the internet is the crowd is so large that the few people, who would jump in no matter what, are always present.
Diffusion of Responsibility (Score:4, Informative)
You're looking for Diffusion of Responsibility [wikipedia.org], made famous by the incident in which Kitty Genovese was murdered within earshot of a whole bunch of people, all of whom thought "damnit, someone should do something about this!"
Re: (Score:2)
Of course they are. They stopped ignoring their mom shouting down into the basement that it was dinner time a LONG time ago. ;)
Re: (Score:2)
All of this whole FOSS thing entails a lot of trust. I mean, you're really telling me that everyone on here whining about the need to see the source code has read every line of code in every OS they're using?
No, but given the "number of eyes", it's usually not necessary that every person has read every line of code. If a set of N people have read the relevant code and understand it, that's often sufficient to solve a problem.
I ran across an example just a few days ago. The details aren't too important here
So its not the same flaw? (Score:4, Informative)
Q: "This is the same attack as described way back in
A: No, it's not.
When Dan Kaminsky states in his blog. [doxpara.com]
"DJB was right. All those years ago, Dan J. Bernstein was right: Source Port Randomization should be standard on every name server in production use."
and
" 1) It's a bug in many platforms 2) It's the exact same bug in many platforms (design bugs, they are a pain) " How is this not the same flaw DJB described?
Re:So its not the same flaw? (Score:5, Informative)
You are looking at two separate issues. The flaw Kaminsky found is apparently a newly discovered design flaw that makes DNS forging easy even with todays, unpatched DNS servers. In the advisory, they discussed previous problems with generating the transactionID to explain the problem and point out that what Dan found is not something already known (alot of people missed that very obvious point).
The second seperate, issue is UDP source port randomization. That is what Kaminsky was referring to DJB's solution. Kaminsky's assertion is that UDP source port is a good development practice which DJB incorporated into his DNS server.
Bear in mind that UDP source port generation doesn't solve the underlying problem, it simply makes blind DNS forging more difficult because now an attacker has to guess both a pseudo random transaction ID and a pseudo random UDP source port number. Alot of DNS servers and OS, simply picked source port numbers incrementally or in the case of a DNS server, re-used the some one over and over.
I don't know hom much more difficult DNS forging will be by randomizing the UDP source port numbers. The additional keyspace is (2^16-1023) and you can probably divide that in half again. But it's better then nothing and probably provides enough time (the time it would take an attacker to blindly guess the transactionID and UDP source port number) for the actual response to hit the DNS server. In DNS, the first response wins.
Re:So its not the same flaw? (Score:4, Informative)
Re: (Score:2)
Because a single flaw may be exploitable through multiple vectors of attack.
Though in this case source port randomization isn't the fix, it a stop gap that makes the flaw difficult to exploit in practice.
Re: (Score:2)
Just because two problems have the same mitigation doesn't mean that they're the same problem.
You can take aspirin for a headache, or for a heart attack, but that doesn't mean that a headache is a heart attack or visa-versa. In some cases (I don't know the history, I never followed djbdns), you can have someone state a solution without a known attack -- 'This doesn't feel right, I don't think we should do it, but I can't say exactly why', and so we can get into a situation where there was no flaw for it to
A simple test to run (Score:5, Informative)
In a comment to a question I posted for the CircleID article, Paul Vixie posted a nice and simple test that people can run to see how vulnerable they are:
FAIR or GOOD means you're ok, but POOR (which is the result I got) means you should be worried.
Re: (Score:2)
Very confused here... I get "POOR" at home behind a NAT router; okay, I understand that. I run the same test on a remote server on the backbone, which is running the latest bind9, patched this week, and it gives exactly the same "POOR" result.
What hoop are we supposed to jump through to get a "GOOD" result?
Re: (Score:2)
Install DJB's dnscache.
Re:A simple test to run (Score:4, Informative)
Many older named.conf configs have "query-source port 53;". While this is nice for firewalls to open up DNS traffic (assuming replies from source udp/53 to destination udp/53 (your query port) are always safe), it makes it easy to exploit.
This must be removed and those nameserver restarted. I had to do this with all of my servers, otherwise all queries come from the same port (53). Complain to your ISP if you find this to be the case with their DNS servers and in the meantime use some other DNS servers.
My two local Comcast resolves show "Poor" as the ports they use only have a standard deviation of 130-150, which I guess is assumed to be far too obvious and easy to keep bombarding.
Second, your NAT router may be de-randomizing your DNS queries if you run a resolver at home, and taking your random ports and putting them in order starting at 1024 (or something similar).
My own local/internal DNS servers shows as a std dev of 9 since my PAT router is de-randomizing the external ports. I'll be replacing my PAT router.
Third, your NAT router may be your DNS resolver and may not be using random source ports.
Re: (Score:2)
My stock OpenBSD 4.0 / BIND 9.3.2-P1 name server configuration passes with no modifications on my part. I got deviations from 16,000 to 20,000 across several hosts I tried within my network.
It seems to come with the territory that to write secure code, you have to offend people.
A) I disagree with you.
B) I think you're wrong.
C) That's broken.
D) That's broken, get lost.
If you chose A, you've probably never written a line of secure code.
Beware of ADSL router S-NAT on UDP ports. (Score:2)
I did the "dig" test on my patched DNS servers, and one of them failed.
Reason: It was connected to an ADSL router by a 192.168.1.0/24 subnet which was translated by port S-NAT to a narrow range of source UDP ports.
As a result, all of the fixing of the DNS servers was made useless.
It was only the "dig porttest.dns-oarc.net in txt" test which exposed this.
Not that you should really do:
dig @your.dns.server porttest.dns-oarc.net in txt
where your.dns.server is the local DNS server behind your ADSL router or fire
Re: (Score:2)
FAIR or GOOD means you're ok, but POOR (which is the result I got) means you should be worried.
Thanks for that. I've patched our RHEL5 BIND, but I still failed that test. I discovered that our legacy named.conf had carried a 'query-source' directive from ghod-knows-when and that just patching isn't always enough.
I found the issue from:
http://www.centos.org/modules/newbb/viewtopic.php?form=1&topic_id=15132&forum=37&order=ASC&start=0 [centos.org]
Don't worry, Mr. Vixie (Score:3, Funny)
Third, stop complaining, we've all got a lot of work to do by August 7 and it's a little silly to spend any time arguing when we need to be patching.
The patch is now in my crontab and set to run on the 6th.
Re: (Score:2)
The problem with conspiracy theories is that everyone involved in the conspiracy must keep silent, or else the conspiracy will be outed. Most people have a lot of trouble doing that because let's face it -- our egos are just too big. Unfortunately (or fortunately, depending upon whether or not you're in on the secret), once anyone else knows, everyone else knows.
So yeah, that sounds like it would be a great exploit, but do you really think it is likely that any