<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.0.9">
<TITLE>Re: [AusNOG] DNS Cache Poisoning Vulnerability</TITLE>
</HEAD>
<BODY>
On Fri, 2008-08-08 at 08:39, Bob Purdon wrote:
<BLOCKQUOTE TYPE=CITE>
<FONT COLOR="#8b6914" SIZE="2"><I>I'll get the guys to check - they assured me our DNS servers were upgraded a few weeks back, so this is a little strange...</I></FONT>
</BLOCKQUOTE>
<BR>
Brent is correct...<BR>
<BR>
# dig +short porttest.dns-oarc.net TXT @ns1.pipenetworks.com porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.<BR>
"203.161.158.2 is POOR: 26 queries in 4.5 seconds from 1 ports with std dev 0"<BR>
<BR>
# dig +short porttest.dns-oarc.net TXT@ns2.pipenetworks.com. <BR>
porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.<BR>
"203.161.158.3 is POOR: 26 queries in 4.6 seconds from 1 ports with std dev 0"<BR>
<BR>
<BR>
It is possible they have made the mistake of leaving a source-port directive in named.conf<BR>
<FONT SIZE="2"><BR>
<BR>
</FONT><BR>
<BR>
<BLOCKQUOTE TYPE=CITE>
<FONT COLOR="#8b6914" SIZE="2"><I>Bob Purdon<BR>
General Manager,<BR>
Managed Infrastructure,<BR>
PIPE Networks Limited (ASX:pwk)<BR>
<BR>
Phone : +61 7 3233 9844<BR>
Fax : +61 7 3233 9885<BR>
Web : www.pipenetworks.com<BR>
<BR>
Any information transmitted in this message and its attachments is intended only for the person or entity to which it is addressed. The above email correspondence should be read in conjunction with our standard disclaimer/terms which can be found at www.pipenetworks.com/docs/disclaimer.htm<BR>
<BR>
----- Original Message -----<BR>
From: ausnog-bounces@lists.ausnog.net <ausnog-bounces@lists.ausnog.net><BR>
To: ausnog@ausnog.net <ausnog@ausnog.net><BR>
Sent: Fri Aug 08 08:05:06 2008<BR>
Subject: Re: [AusNOG] DNS Cache Poisoning Vulnerability<BR>
<BR>
That is quite a handy and easy to use tool. ausnog.net's nameservers<BR>
need patching though by<BR>
the looks :<BR>
<BR>
"Highly vulnerable.<BR>
<BR>
The servers tested for AUSNOG.NET are highly vulnerable to cache<BR>
poisoning. Immediate action should be taken to rectify the problem."<BR>
<BR>
I'm sure someone on this list will be able to rectify that.<BR>
<BR>
Brent<BR>
<BR>
Brent Paddon<BR>
<BR>
Director | Over the Wire Pty Ltd<BR>
brent.paddon@overthewire.com.au | www.overthewire.com.au<BR>
Phone: 07 3847 9292 | Fax: 07 3847 9696 | Mobile: 0400 2400 54 | Direct: 07 3503 4807<BR>
<BR>
<BR>
<BR>
Kim Davies wrote:<BR>
> Hi folks,<BR>
><BR>
> A number of you have likely heard about this already, but just in case<BR>
> not, this is a fairly serious issue that deserves a few minutes of<BR>
> attention.<BR>
><BR>
> Recently, it was discovered that the amount of entropy in DNS queries is<BR>
> relatively low in typical DNS software implementations, making the<BR>
> ability to spoof answers a fairly trivial exercise that can take as<BR>
> little as a second. This can be used to poison DNS caches, and<BR>
> ultimately introduce false data into the DNS.<BR>
><BR>
> This is important on two distinctly different fronts:<BR>
><BR>
> 1) Recursive name servers should have the maximum amount of entropy<BR>
> to provide the strongest resistance to spoofed DNS responses. This won't<BR>
> solve the problem, but helps mitigate the risk. There are<BR>
> patches for BIND etc. now available to randomise the source port of<BR>
> queries to aid this. To test a recursive name server you can use<BR>
> the tool at<BR>
><BR>
> </FONT><A HREF="https://www.dns-oarc.net/oarc/services/dnsentropy"><FONT SIZE="2"><U>https://www.dns-oarc.net/oarc/services/dnsentropy</U></FONT></A><BR>
<FONT COLOR="#8b6914" SIZE="2">><BR>
> 2) For domain registrants, the authoritative name server for your<BR>
> domain can be affected if they also offer recursive name service.<BR>
> The effects of cache poisoning can therefore introduce false<BR>
> data into your zone. To test for vulnerable servers, there is a<BR>
> new tool at<BR>
><BR>
> </FONT><A HREF="http://recursive.iana.org/"><FONT SIZE="2"><U>http://recursive.iana.org/</U></FONT></A><BR>
<FONT COLOR="#8b6914" SIZE="2">><BR>
> The solution to this problem is to separate recursive and<BR>
> authoritative name service from one another.<BR>
><BR>
> There is also an FAQ, focused on part 2, at<BR>
> </FONT><A HREF="http://www.iana.org/reports/2008/cross-pollination-faq.html"><FONT SIZE="2"><U>http://www.iana.org/reports/2008/cross-pollination-faq.html</U></FONT></A><BR>
<FONT COLOR="#8b6914" SIZE="2">><BR>
> cheers,<BR>
><BR>
> kim<BR>
> _______________________________________________<BR>
> AusNOG mailing list<BR>
> AusNOG@lists.ausnog.net<BR>
> </FONT><A HREF="http://lists.ausnog.net/mailman/listinfo/ausnog"><FONT SIZE="2"><U>http://lists.ausnog.net/mailman/listinfo/ausnog</U></FONT></A><BR>
<FONT COLOR="#8b6914" SIZE="2">> <BR>
_______________________________________________<BR>
AusNOG mailing list<BR>
AusNOG@lists.ausnog.net</FONT><BR>
<A HREF="http://lists.ausnog.net/mailman/listinfo/ausnog"><FONT SIZE="2"><U>http://lists.ausnog.net/mailman/listinfo/ausnog</U></FONT></A><BR>
<FONT COLOR="#8b6914"><BR>
<BR>
<BR>
<HR>
<PRE>_______________________________________________
AusNOG mailing list
AusNOG@lists.ausnog.net</FONT>
<A HREF="http://lists.ausnog.net/mailman/listinfo/ausnog"><U>http://lists.ausnog.net/mailman/listinfo/ausnog</U></I></A></PRE>
</BLOCKQUOTE>
<PRE><TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%">
<TR>
</TR>
<TR>
</TR>
<TR>
<TD>
<BR>
<FONT SIZE="2">--<BR>
<BR>
<I>Kind Regards,<BR>
<BR>
Noel Butler<BR>
<BR>
Network Administrator<BR>
<BR>
L.C.P # 251002 <BR>
<BR>
(http://counter.li.org)</FONT><BR>
<BR>
<BR>
<HR>
<BR>
<BR>
<BR>
<FONT SIZE="1">This Email, including any attachments, may contain legally privileged information, as such remains strictly confidential and is protected by the Australian Copyright Act. You may not disseminate or reveal any part to anyone without the authors express authority to do so. If you are not the intended recipient, please notify sender and delete all relevance of this message including attachments immediately. Only PDF or ODF documents are accepted, do not send Microsoft proprietary formatted documents - see </FONT><A HREF="http://www.gnu.org/philosophy/no-word-attachments.html"><FONT SIZE="1"><U>http://www.gnu.org/philosophy/no-word-attachments.html</U></I></FONT></A><BR>
<BR>
<BR>
<HR>
<BR>
<BR>
<BR>
<BR>
</TD>
</TR>
</TABLE>
</PRE>
</BODY>
</HTML>