[AusNOG] DNS Cache Poisoning Vulnerability

Bob Purdon Bob.Purdon at staff.pipenetworks.com
Fri Aug 8 08:39:39 EST 2008


I'll get the guys to check -  they assured me our DNS servers were upgraded a few weeks back, so this is a little strange...

Bob Purdon
General Manager,
Managed Infrastructure,
PIPE Networks Limited (ASX:pwk)

Phone  : +61 7 3233 9844
Fax    : +61 7 3233 9885
Web    : www.pipenetworks.com

Any information transmitted in this message and its attachments is intended only for the person or entity to which it is addressed. The above email correspondence should be read in conjunction with our standard disclaimer/terms which can be found at www.pipenetworks.com/docs/disclaimer.htm

----- Original Message -----
From: ausnog-bounces at lists.ausnog.net <ausnog-bounces at lists.ausnog.net>
To: ausnog at ausnog.net <ausnog at ausnog.net>
Sent: Fri Aug 08 08:05:06 2008
Subject: Re: [AusNOG] DNS Cache Poisoning Vulnerability

That is quite a handy and easy to use tool.  ausnog.net's nameservers 
need patching though by
the looks :

"Highly vulnerable.

The servers tested for AUSNOG.NET are highly vulnerable to cache 
poisoning. Immediate action should be taken to rectify the problem."

I'm sure someone on this list will be able to rectify that.

Brent

Brent Paddon

Director | Over the Wire Pty Ltd
brent.paddon at overthewire.com.au | www.overthewire.com.au
Phone: 07 3847 9292 | Fax: 07 3847 9696 | Mobile: 0400 2400 54 | Direct: 07 3503 4807



Kim Davies wrote:
> Hi folks,
>
> A number of you have likely heard about this already, but just in case
> not, this is a fairly serious issue that deserves a few minutes of
> attention.
>
> Recently, it was discovered that the amount of entropy in DNS queries is
> relatively low in typical DNS software implementations, making the
> ability to spoof answers a fairly trivial exercise that can take as
> little as a second. This can be used to poison DNS caches, and
> ultimately introduce false data into the DNS.
>
> This is important on two distinctly different fronts:
>
> 1) Recursive name servers should have the maximum amount of entropy
>    to provide the strongest resistance to spoofed DNS responses. This won't
>    solve the problem, but helps mitigate the risk. There are
>    patches for BIND etc. now available to randomise the source port of
>    queries to aid this. To test a recursive name server you can use
>    the tool at
>
>    https://www.dns-oarc.net/oarc/services/dnsentropy
>
> 2) For domain registrants, the authoritative name server for your
>    domain can be affected if they also offer recursive name service.
>    The effects of cache poisoning can therefore introduce false
>    data into your zone. To test for vulnerable servers, there is a
>    new tool at
>
>    http://recursive.iana.org/
>
>    The solution to this problem is to separate recursive and
>    authoritative name service from one another.
>
> There is also an FAQ, focused on part 2, at
> http://www.iana.org/reports/2008/cross-pollination-faq.html
>
> cheers,
>
> kim
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>   
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20080808/a669a2c4/attachment.html>


More information about the AusNOG mailing list