[lotuseclat79]

DNS Exploit in the Wild -- Update: 2nd More Serious Exploit Released.

-- Tom

[tomdkat]

crap. I wonder how this will manifest itself.

Peace...

[lotuseclat79]

Hi tomdkat,

The manifestation is a poisoned DNS cache (one where the software does not have the fix).

There is a post at CipherDyne, Mitigating DNS Cache Poisoning Attacks with iptables, that might be of some interest.

-- Tom

[tomdkat]

It sounds like this new exploit is worse than the initial DNS cache poisoning. The Cipherdyne araticle states the details of the attack haven't been released yet but the InfoWorld articles linked to in these threads:

http://forums.techguy.org/tech-relat...d-new-dns.html
http://forums.techguy.org/tech-relat...-dns-flaw.html

indicates the details of the attack accidentally got leaked and the software using that info is out in the wild. What's most interesting to me is in one of the InfoWorld articles, someone claims this DNS issue was identified 9 yrs ago and hasn't been addressed in BIND but in another DNS package.

This sucks.

Peace...

[mrss]

There are links available to see if your ISP's servers are vulnerable to this exploit.
Here's one: https://www.dns-oarc.net/

So would you guys recommend switching one's DNS servers to something like opendns in the interim if your ISP didn't pass?

[tomdkat]

According to that site, the Comcast DNS I'm using has poor source port randomness and great transaction id randomness.

Peace...

[lotuseclat79]

Here is some information regarding Windows, Linux and Mac Systems:

Vulnerable to a DNS cache poisoning at home?.

Kaminsky (finally) provides DNS flaw details.

Note: First, to determine whether your DNS system is vulnerable, use either of these tests:

* Dan Kaminsky

* DNS Operations, Analysis, and Research Center

The way forward is to patch your DNS server if it tests vulnerable.

-- Tom

[tomdkat]

Quote:

Originally Posted by lotuseclat79

Note: First, to determine whether your DNS system is vulnerable, use either of these tests:

* Dan Kaminsky

* DNS Operations, Analysis, and Research Center

The way forward is to patch your DNS server if it tests vulnerable.

I've run both of those tests already. The first one, I found in this thread and the second I found in post #5 of this thread.

One reports my Comcast DNS being "safe" because ports displayed don't show an obvious pattern the other test results I posted above, in post #6 of this thread. Those results indicate there might be an issue with the Comcast DNS I'm currently using.

Peace...

[lotuseclat79]

Lesson From the DNS Bug: Patching Isn't Enough.

Commentary by Bruce Schneier for Security Matters, a section of Wired Magazine

At the end of the story is a link to a well-crafted dnscache program, impervious to this incident attack.

-- Tom

[lotuseclat79]

The best test for vulnerability to the DNS flaw.

Test: here.

-- Tom

P.S. A cheatsheet for defending against the DNS flaw.

[tomdkat]

The strange thing I'm seeing is if I access the test using the raw IP address, I'm getting results from a different DNS provided by my ISP than when I click the link on the dns-oarc.net test page. The link on the test page resolves to the same IP as is provided in the C|Net article so I'm not sure why I'm getting a total of three different DNS servers being tested. What's even stranger is the DNS servers being tested are different DNS servers than are configured, via DHCP, in my router. I'm not sure where the site is getting the DNS server addresses to use for its testing, regardless of accessing the test page using the FQDN or the IP address.

Peace...

[tomdkat]

You know, I don't know what to trust in all this. I used the raw IP address for the dns-oarc.net test server it two different browsers and got two DIFFERENT results on the SAME DNS server provided by my ISP!

Attached are screenshots.

Then, the Doxpara test site (the "Dan Kaminsky" link above) reports the same DNS shown in the other two screenshots as being in good shape.

I figure Comcast is doing some kind of "round-robin" distribution of its DNS servers to keep loads manageable but I'm confused as how the SAME DNS server can get two DIFFERENT results when running the SAME test at the SAME test site.

Peace...

[lotuseclat79]

Quote:

Originally Posted by tomdkat

The strange thing I'm seeing is if I access the test using the raw IP address, I'm getting results from a different DNS provided by my ISP than when I click the link on the dns-oarc.net test page. The link on the test page resolves to the same IP as is provided in the C|Net article so I'm not sure why I'm getting a total of three different DNS servers being tested. What's even stranger is the DNS servers being tested are different DNS servers than are configured, via DHCP, in my router. I'm not sure where the site is getting the DNS server addresses to use for its testing, regardless of accessing the test page using the FQDN or the IP address.

Peace...

Hi tomdkat,

I understand your concern.

I subscribe to Earthlink as my ISP, and when I connect to their servers, I get their two DNS servers, despite the fact that I am dialed in to a local portal for their service. As it so happens, I believe they have local mirrors of their major DNS servers which have a different IP address than the main DNS servers - which I found out when I ran the test at the IP address link.

What my test results revealed was interesting and yielded different results for Earthlink's DNS servers than for OpenDNS (better results all around). I sent feedback to Earthlink, and it looks like they might have half corrected the problem since the results I ran just now are Great all around for one of the DNS servers, and not as Great on one of the tests as before.

I trust the results from the ip address/test link in my previous message.

-- Tom

[tomdkat]

Quote:

Originally Posted by lotuseclat79

What my test results revealed was interesting and yielded different results for Earthlink's DNS servers than for OpenDNS (better results all around). I sent feedback to Earthlink, and it looks like they might have half corrected the problem since the results I ran just now are Great all around for one of the DNS servers, and not as Great on one of the tests as before.

Were the results you got for the EarthLink DNS consistent, at least? I'm finding I'm not getting consistent results for the same DNS using the same test page but different browsers (my screenshots above).

Quote:

I trust the results from the ip address/test link in my previous message.

I used that very link in to different browsers and generated the screenshots above. *sigh*

I'll give OpenDNS a try to at least see if I get any better performance from their servers. Comcast's servers tend to have slow cache refreshes which I sometimes find frustrating.

Peace...

[lotuseclat79]

Hi tomdkat,

It looks like when I re-run the test, it may or may not pick up the same DNS server as I have set, but usually it looks like the DNS load is off-loaded to a cluster of DNS servers, sometimes that all look Great, and at other times like not all of the DNS servers have been patched - i.e. in one server I may get POOR source port randomness.

It looks like results may vary, but the OpenDNS servers looked fully patched since on every test they came back Great for all the tests.

-- Tom