[AusNOG] DNS Cache Poisoning Vulnerability

Noel Butler noel.butler at ausics.net
Fri Aug 8 09:02:33 EST 2008 

On Fri, 2008-08-08 at 08:39, Bob Purdon wrote: 

> I'll get the guys to check -  they assured me our DNS servers were
> upgraded a few weeks back, so this is a little strange...


Brent is correct...

# dig +short porttest.dns-oarc.net TXT @ns1.pipenetworks.com
porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"203.161.158.2 is POOR: 26 queries in 4.5 seconds from 1 ports with std
dev 0"

# dig +short porttest.dns-oarc.net 
TXT at ns2.pipenetworks.com.                                                                              
porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"203.161.158.3 is POOR: 26 queries in 4.6 seconds from 1 ports with std
dev 0"


It is possible they have made the mistake of leaving a source-port
directive in named.conf





> Bob Purdon
> General Manager,
> Managed Infrastructure,
> PIPE Networks Limited (ASX:pwk)
> 
> Phone  : +61 7 3233 9844
> Fax    : +61 7 3233 9885
> Web    : www.pipenetworks.com
> 
> Any information transmitted in this message and its attachments is
> intended only for the person or entity to which it is addressed. The
> above email correspondence should be read in conjunction with our
> standard disclaimer/terms which can be found at
> www.pipenetworks.com/docs/disclaimer.htm
> 
> ----- Original Message -----
> From: ausnog-bounces at lists.ausnog.net
> <ausnog-bounces at lists.ausnog.net>
> To: ausnog at ausnog.net <ausnog at ausnog.net>
> Sent: Fri Aug 08 08:05:06 2008
> Subject: Re: [AusNOG] DNS Cache Poisoning Vulnerability
> 
> That is quite a handy and easy to use tool.  ausnog.net's nameservers
> need patching though by
> the looks :
> 
> "Highly vulnerable.
> 
> The servers tested for AUSNOG.NET are highly vulnerable to cache
> poisoning. Immediate action should be taken to rectify the problem."
> 
> I'm sure someone on this list will be able to rectify that.
> 
> Brent
> 
> Brent Paddon
> 
> Director | Over the Wire Pty Ltd
> brent.paddon at overthewire.com.au | www.overthewire.com.au
> Phone: 07 3847 9292 | Fax: 07 3847 9696 | Mobile: 0400 2400 54 |
> Direct: 07 3503 4807
> 
> 
> 
> Kim Davies wrote:
> > Hi folks,
> >
> > A number of you have likely heard about this already, but just in
> case
> > not, this is a fairly serious issue that deserves a few minutes of
> > attention.
> >
> > Recently, it was discovered that the amount of entropy in DNS
> queries is
> > relatively low in typical DNS software implementations, making the
> > ability to spoof answers a fairly trivial exercise that can take as
> > little as a second. This can be used to poison DNS caches, and
> > ultimately introduce false data into the DNS.
> >
> > This is important on two distinctly different fronts:
> >
> > 1) Recursive name servers should have the maximum amount of entropy
> >    to provide the strongest resistance to spoofed DNS responses.
> This won't
> >    solve the problem, but helps mitigate the risk. There are
> >    patches for BIND etc. now available to randomise the source port
> of
> >    queries to aid this. To test a recursive name server you can use
> >    the tool at
> >
> >    https://www.dns-oarc.net/oarc/services/dnsentropy
> >
> > 2) For domain registrants, the authoritative name server for your
> >    domain can be affected if they also offer recursive name service.
> >    The effects of cache poisoning can therefore introduce false
> >    data into your zone. To test for vulnerable servers, there is a
> >    new tool at
> >
> >    http://recursive.iana.org/
> >
> >    The solution to this problem is to separate recursive and
> >    authoritative name service from one another.
> >
> > There is also an FAQ, focused on part 2, at
> > http://www.iana.org/reports/2008/cross-pollination-faq.html
> >
> > cheers,
> >
> > kim
> > _______________________________________________
> > AusNOG mailing list
> > AusNOG at lists.ausnog.net
> > http://lists.ausnog.net/mailman/listinfo/ausnog
> >  
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
> 
> 
> 
> 
> ______________________________________________________________________
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog


--

Kind Regards,

Noel Butler

Network Administrator

L.C.P # 251002 

(http://counter.li.org)



________________________________________________________________________


This Email, including any attachments, may contain legally privileged
information, as such remains strictly confidential and is protected by
the Australian Copyright Act. You may not disseminate or reveal any part
to anyone without the authors express authority to do so. If you are not
the intended recipient, please notify sender and delete all relevance of
this message including attachments immediately. Only PDF or ODF
documents are accepted, do not send Microsoft proprietary formatted
documents - see  http://www.gnu.org/philosophy/no-word-attachments.html



________________________________________________________________________



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20080808/6bbb2d7b/attachment.html>

More information about the AusNOG mailing list