[aklug] Re: DNS Exploit

very good points
what i was attempting to say is if any DNS server used to resolve a name
is vulnerable then ther's a possibility the response can be poisoned.
also
changing the behaviour of ports in use by dns/bind can cause more
problems than
the patch fixes. selinux is being reported to cause problems after the
patch.
also
reports are that checkpoint reorders the ports in sequential order if
application
intelligence is not turned on. so you patch, fix selinux then the ports
used
outa the firewall are sequential.=20
DNS is a high value service. patching should be tempered with caution.
BUT the vulnerability was significant enough to get cooperation of lotsa
vendors
like microsoft and ISC to cooperate on the patch release.

-----Original Message-----
From: Arthur Corliss [mailto:acorliss@nevaeh-linux.org]=20
Sent: Thursday, July 10, 2008 1:16 AM
To: Jenkinson, John P (SAIC)
Cc: aklug
Subject: Re: [aklug] Re: DNS Exploit

On Wed, 9 Jul 2008, Jenkinson, John P (SAIC) wrote:

<snip>

> BUT your upstrean DNS server can still be vulnerable and pass you the
> "poisioned" dns response from their cache.
> so in theory a bad person can monitor traffic, capture the request
ID
> and
> port, respond with a response that steers your bank transaction to
their
> site
> instead of your banks. they just have to beat the real response
> bottom line (imho) the ends are still vulnerable if the patch is
applied
> in the middle.

For most people running caching DNS on their local network upstream DNS
from
an ISP is typically irrelevant since they'll be walking the root
servers.
You'd have to specifically configure your DNS server to forward queries
to
an upstream DNS server, something I've only seen in the rarest of
circumstances since the value of doing so is minimal.

Also consider that most poisoning attempts are actually done (from the
reports I've read) from bots not in a position to monitor traffic.
Let's
face it: barring a DNSSEC implementation they'd own you outright if
they
could, since they'd have *everything* they need to fake a response in a
heartbeat. Most will try to do some stealth floods of response packets
after some initial probes in the hopes of hitting something valid. With
most responses coming and going from well known ports it took a lot of
the
guess work out of the equation.

Considering all that, if people updated their local DNS they'd be almost
as
hard to hit as the clients they serve.

> ie its more of a client issue than media reports to date might
indicate.

That's not actually true. Bear in mind that most resolvers in clients
*do*
use randomized high-number ports as the source port of the request,
especially on *NIX systems where the average user is an unprivileged
user
and doesn't have the rights to use a low number port in the first place.
That makes the client a much harder target to hit than the DNS server in
the
first place.

         --Arthur Corliss
           Live Free or Die
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Thu Jul 10 03:35:59 2008