[AusNOG] DNS Cache Poisoning Vulnerability
Craig Askings
craig at askings.com.au
Fri Aug 8 09:36:40 EST 2008
Hi Brent,
There are two parts to the cache poisoning vulnerability, lack of source
port randomisation and poor transaction ID randomisation.
Those servers have been patched to fix the transaction ID randomisation
problem, but not the source port issue. Some tools test both, some don't.
But having both fixed is ideal.
If anyone has found source port randomisation patch for Bind 9.2 please
contact me of list.
Craig Askings.
On Thu, August 7, 2008 6:05 pm, Brent Paddon wrote:
> That is quite a handy and easy to use tool. ausnog.net's nameservers
> need patching though by
> the looks :
>
> "Highly vulnerable.
>
> The servers tested for AUSNOG.NET are highly vulnerable to cache
> poisoning. Immediate action should be taken to rectify the problem."
>
> I'm sure someone on this list will be able to rectify that.
>
> Brent
>
> Brent Paddon
>
> Director | Over the Wire Pty Ltd
> brent.paddon at overthewire.com.au | www.overthewire.com.au
> Phone: 07 3847 9292 | Fax: 07 3847 9696 | Mobile: 0400 2400 54 | Direct:
> 07 3503 4807
>
>
>
> Kim Davies wrote:
>> Hi folks,
>>
>> A number of you have likely heard about this already, but just in case
>> not, this is a fairly serious issue that deserves a few minutes of
>> attention.
>>
>> Recently, it was discovered that the amount of entropy in DNS queries is
>> relatively low in typical DNS software implementations, making the
>> ability to spoof answers a fairly trivial exercise that can take as
>> little as a second. This can be used to poison DNS caches, and
>> ultimately introduce false data into the DNS.
>>
>> This is important on two distinctly different fronts:
>>
>> 1) Recursive name servers should have the maximum amount of entropy
>> to provide the strongest resistance to spoofed DNS responses. This
>> won't
>> solve the problem, but helps mitigate the risk. There are
>> patches for BIND etc. now available to randomise the source port of
>> queries to aid this. To test a recursive name server you can use
>> the tool at
>>
>> https://www.dns-oarc.net/oarc/services/dnsentropy
>>
>> 2) For domain registrants, the authoritative name server for your
>> domain can be affected if they also offer recursive name service.
>> The effects of cache poisoning can therefore introduce false
>> data into your zone. To test for vulnerable servers, there is a
>> new tool at
>>
>> http://recursive.iana.org/
>>
>> The solution to this problem is to separate recursive and
>> authoritative name service from one another.
>>
>> There is also an FAQ, focused on part 2, at
>> http://www.iana.org/reports/2008/cross-pollination-faq.html
>>
>> cheers,
>>
>> kim
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
More information about the AusNOG
mailing list