Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

DNS Cache Poisoning Update

Posted by Zonk on Fri Apr 08, 2005 12:27 PM
from the trustno1 dept.
Security The Internet IT
dhammabum writes "Todays SANS internet storm handler has put up an excellent update of the DNS poisoning vulnerability currently doing the rounds. The main points are that only Windows DNS servers are vulnerable (degrees of vulnerability depending on patch level), provided you are not running an ancient version of bind. Also bind4 and bind8 do not clean poisoned caches if they receive them from a poisoned Windows DNS server but bind9 does."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

DNS Cache Poisoning Update 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Informative Links: (Score:5, Informative)

    by TripMaster Monkey (862126) * on Friday April 08 2005, @12:28PM (#12177889)

    In the interest of promoting discussion, there is a good definition of DNS poisoning here [wikipedia.org], and a longer explanation/rant regarding DNS poisoning here [cr.yp.to].

    • Re:Informative Links: (Score:4, Informative)

      by TripMaster Monkey (862126) * on Friday April 08 2005, @12:31PM (#12177928)
      Hmm...the # sign in the second link doesn't seem to work...sorry...try this [cr.yp.to] link instead.

    • Re:Informative Links: (Score:2, Informative)

      by Anonymous Coward
      Yes, what DJB is actually pointing out there are *bugs* in most DNS implementations, that do not exist in his djbdns package.

      djbdns is, and always has been, immune to cache poisoning.

      It is also simpler, much easier to use and maintain, and so much more reliable than BIND or Windows DNS. It also has never had a buffer overflow or other security problem.

      If you're running another DNS package, and *especially* BIND, go to the nearest mirror and ask yourself "Why am I putting my users at risk? Why am I using

      • Re:Informative Links: (Score:4, Interesting)

        by bigberk (547360) <bigberk@users.pc9.org> on Friday April 08 2005, @12:43PM (#12178051)
        Unfortunately djbdns is a bit awkward to install because of djb's insistence on the daemontools manager. There's nothing wrong with it, but the technique for installation is a bit awkward and certainly unlike other Unix-based server software.

        • Re:Informative Links: (Score:5, Informative)

          by ldspartan (14035) on Friday April 08 2005, @12:52PM (#12178158) Homepage
          apt-get install runit djbdns-installer
          build-djbdns
          dnscache-conf-fhs nobody nobody /etc/dnscache 127.0.0.1
          ln -s /etc/dnscache /var/service/

          Granted, not super-simple, but certainly not hard.
          • Well, Gentoo is pretty easy to install if you know the right commands [bash.org]. In either case, though, the instructions are completely opaque to anyone who doesn't already know that system inside and out.

            built-djbdns? Oh, that's right - it's not Free Software so Debian can't package it.

            Something about configuring DNS. Maybe to run as "nobody", I presume. I guess we're setting up a cache directory in /etc? Something or another about localhost.

            /var/what?

            I'm not trying to slag on you, but those aren't exa

      • Re:Informative Links: (Score:4, Interesting)

        by nothings (597917) on Friday April 08 2005, @12:50PM (#12178141) Homepage
        Reposting from the previous slashdot thread, responding to a djbdns user; note specifically that djb admits the forgery resistance is "quantitative, not qualitative".

        While I don't think I'm in the clear because of this, I feel better protected from the (unwashed ;)) internet.

        That seems fairly reasonable. I don't think you're really protected from poisoning, unless "poisoning" only applies to certain kinds of DNS spoofing. Specifically, first note the exceptions to the djbdns security guarantee (emphasis mine):

        • Bugs outside of djbdns, such as OS bugs or browser bugs. (People could seize control of BIND 9.1 through an OpenSSL buffer overflow, but that was a bug in OpenSSL, not in BIND.)
        • The vulnerability of DNS to forgery [cr.yp.to]. (BIND's port reuse makes blind forgery much less expensive, but this is a quantitative difference, not a qualitative difference. The DNS architecture needs cryptographic protection.)
        • Denial-of-service attacks. (BIND 9's fragility makes denial of service completely trivial; but an attacker can easily take down the Domain Name System without using any of BIND's bugs. The DNS architecture needs to be decentralized.)

        Specifically, his forgery page points out that a spoofing attack based on the birthday paradox can still work... although probably tens of millions of packets are required. This page [securityfocus.com], which I think I got off slashdot before, uses the TCP sequence-number guessing tools to try to attack it. It's probably not quite as secure as djb estimates, but probably still in the millions. They don't seem to have actually run numbers for the randomized-port plus randomized-id, so it's unclear whether they actually attacked that thoroughly.

      • Re:Informative Links: (Score:5, Informative)

        by carpe_noctem (457178) on Friday April 08 2005, @12:56PM (#12178206) Homepage Journal
        DJB is going to turn into the next RMS if he doesn't stop spouting at the mouth with how inferior all of his competitor's software is. Even his documentation is arrogant, for chrissakes.

        And I'm sorry, but bind9 isn't that complicated. I found djbdns to be much clunkier and difficult to set up. Like all of DJB's software, it relies on retarded configuration files and bizarre notation.

        Don't get me wrong here; I'm a qmail admin myself and I love it, but I dislike it when people talk about his software like it was written by Moses and God and given to mankind for all of eternity. It may be pretty stable and secure, but it lacks common usability and many features of other, traditional DNS software.
      • First, djbdns isn't Free Software, which means that a lot of us won't touch it with a ten-foot pole. See the recent BitKeeper debacle for reasons why that's the pragmatic rationale and not just an ideological decision.

        so much more reliable than BIND

        I have never, not once, ever had BIND fail. I doubt I'm the best DNS admin anywhere, so I imagine it works well for a lot of other people as well.

        Why am I putting my users at risk?

        Because my secondary DNS servers, provided by my registrar, are out of my control. I can't install rsync on them to support the functionality that Dan left out of djbdns.

        If you're a DNS admin, don't waste your time with bugs from the 1990's.

        I'll agree with that. Upgrade to the most recent version of BIND and get on with life. OpenBSD's support of that policy is a pretty strong endorsement.

        • First, djbdns isn't Free Software, which means that a lot of us won't touch it with a ten-foot pole. See the recent BitKeeper debacle for reasons why that's the pragmatic rationale and not just an ideological decision.

          There is a HUGE difference between BitKeeper and DJB's copyrighted software. DJB's software is distributed as source code without any "license". This means that you will always have the option of using, modifying and distributing patches for any released version. He can't suddenly take t
          • DJB's software is distributed as source code without any "license".

            Which also means that you can't distribute anything but patches even if you wanted to. Forget about making it part of an OS base distribution, or using any his the proclaimed "better" code to improve any other projects. Basically, it's a proprietary product that happens to ship with source.

            Put another way, I could theoretically provide instructions for replacing Windows' HTML renderer with Gecko, but that doesn't mean that it's a Free (or even Open Source) system.

            I understand your point, truly, but I just don't agree with it.

            djbdns includes an AXFR server.

            That doesn't do much for those who need IXFR.

              • I am curious why it is you need IXFR. What kind of network do you have the is unable to send or receive entire zones via AXFR?

                Two words: dynamic DNS.

                There are a lot of little single-entry updates to some of our zones, and IXFR transmits only the changed entries to the slaves.

                How come your zone files are so big, and how come you network is too slow to transfer entire zone files?

                Reverse that: even though our zone files aren't terribly big, why would we want to transfer the whole thing each time? It's the difference between sending a patch file instead source tarball for every update. Isn't efficiency supposed to be a good thing, even when it's not absolutely necessary?

      • Re:Informative Links: (Score:2, Informative)

        by Anonymous Coward
        If that DJB bloke weren't so damn arrogant, many admins would have much less of a problem with using his software.
    • This is great at explaining what this is, but why could this happen?

      Is this a poor implementation of the DNS spec, or is the DNS spec itself to blame for allowing such "poisoning" to occur?

      In my experience, software issues occur for one of two reasons:

      1. "Broken" code: The code doesn't do what you think it should- for instance, a function is supposed to return the sum of two numbers but it returns the difference. These errors are actually not that common in my experience (probably because it is easy to tes

      • Re:Informative Links: (Score:5, Insightful)

        by cmacb (547347) on Friday April 08 2005, @02:37PM (#12179322) Homepage Journal
        In my experience, software issues occur for one of two reasons:
        (1) "Broken" code:.....

        (2) Bad communication / misuse of code:....

        You left one out:

        (0) Bad Design: The code does everything you intended it to do and the users are using it properly, but you didn't think of all the possible states in which the code could find itself and decide what to do about them.

        This is often lumped in with (1), but shouldn't be IMHO. It's one reason I think that comments in code are valuable (as are formal design documents) since it forces the person, or people doing the design and coding to restate their intentions in at least a couple of different ways.

        I have written and worked with well written specs and they tend to reduce the number of pure coding errors by leaving less to the imagination of the coder. Well written specs can still fail to account for all possibilities however and that's a good reason to have meaningful design discussions (rather than the formally mandated ones that people attend these days in body but not mind).

        There are many people today who think of themselves as ace coders. The world would do well to have more people who are design experts who don't practice coding at all. The two disciplines complement one another well.
          • He's talking about a CNAME; a CNAME is like a symbolic link for DNS. That is, if you try and look up www.foo.com, it can contain a CNAME saying that www.foo.com is an alias for www.google.com. This can be really nice, because if you have many services running on one server, you can CNAME (e.g. you could have one big host, bigserver, and CNAME www.whatever.com for multiple domains to bigserver; if bigserver's address gets changed, you only need to modify one zone file).

            If a DNS server returns a CNAME reco
    • The second link already seems to show white, so [informationweek.com] not exactly a replacement but perhaps an addendum.

      CC.

    • Re:Informative Links: (Score:4, Informative)

      by tedgyz (515156) * on Friday April 08 2005, @12:42PM (#12178047) Homepage
      Thanks for the info, but, to coin a phrase, "Where's the beef?" I went to the wiki page hoping to get a clearer understanding, but was left feeling like I had just read a Microsoft help page.

      To sum up...

      DNS Cache Poisoning: DNS Cache Poisoning is the process by which a DNS Server's cache is poisoned.

      I'm not trying to flame. Are there more in depth explanations? Don't worry, I'm not planning on writing a DNS poison worm. :-)
      • djbdns dvides what BIND does into two entirely separate programs. One, tinydns, is authoratitive for its specific domains and nothing else. It might even drop all requests for anything else, I am not sure. The second program, dnscache, queries other, authoratative, name servers, and returns complete dns lookups. It will only query authoratative name servers; it will discard responses that are not authoratative.

        DJB makes a big point in his documentation for djbdns about this. I get the impression that
      • I'm not trying to flame. Are there more in depth explanations? Don't worry, I'm not planning on writing a DNS poison worm. :-) For the love of all things holy, I'd seriously hope your not trying to write a DNS poison worm without years of prior experience with the DNS architecture. No telling what would happen :)

      • Simple explanation (Score:5, Informative)

        by Otto (17870) on Friday April 08 2005, @02:16PM (#12179124) Homepage Journal
        DNS Poisoning is possible because of the way some DNS servers work.

        When you want to lookup a site, you send a request to your DNS server, which then does the lookup and returns the results to you.

        Say you need to know the address to www.yahoo.com. You ask the DNS server for it. It doesn't know, so it looks at what it does know. In the simplest case, it knows the address of the DNS server for *.com, so it asks him. He replies that he doesn't know either, but that he knows *.yahoo.com's DNS records are stored at x.x.x.x. So your DNS server goes and asks x.x.x.x. He does know where www.yahoo.com is, tells your DNS server, who then sends you back the address.

        Typically, a DNS Server is running for a lot of users at once, so it improves speed by caching the results of these queries. So if you asked for www.yahoo.com again, your DNS server looks in the cache, finds that www.yahoo.com is in there, and gives you the answer right away. No need to look it up, time saved all around.

        DNS Cache Poisoning is where an attacker tricks a DNS Server into caching incorrect information. This can happen by having a rogue server setup somewhere. So say the nameserver for www.badguy.com has records that say his name is also www.yahoo.com. When you lookup www.badguy.com, and get to that point, badguy.com says "hey, this is my address, and here's some other names that I'm known by: www.yahoo.com". Your DNS Server then stores all that info in his cache. Later you lookup www.yahoo.com and get back the address for www.badguy.com instead.

        That's a slightly oversimplified way to explain it, but that's the gist of it. Somebody can trick your DNS server into giving back bad info. This is a critical security issue, because say they poison your cache and fool you into connecting to their server instead of, say, your bank's. They then give you a web page that looks just like your bank's does, you login as normal, and suddenly they have all your cash.

        Many DNS servers are immune to this. How is simple: They don't cache stuff when badguy.com says he's also yahoo.com. They always go ask who yahoo.com is and only cache that more trustworthy answer.

        However, the DNS system is setup as a hierarchy. Your DNS Server may not talk to root servers all the time, he might route all his queries through another, bigger DNS server. One of the bugs discovered here is that even if your DNS server is not vulnerable, the one just upstream of it might be, and that can propagate down to yours.

        So there you go.

  • Same article, 2010. (Score:5, Funny)

    by Silverlancer (786390) on Friday April 08 2005, @12:28PM (#12177890)
    The InfoCon is currently set at psychadelic purple-green in response to the realization that Windows is still insecure, even now that Longhorn has been out for nearly 3 years, and has reached service pack 23. We originally went to psychadelic purple-green because we were uncertain of the mechanisms that allowed seemingly "secure" systems to be vulnerable to this issue. Now, however, we know of the mechanisms--Microsoft still makes shitty products, and Windows is still buggy and vulnerable.

    In other news, water is wet.

  • Update on the Update (Score:5, Informative)

    by Hulkster (722642) on Friday April 08 2005, @12:28PM (#12177891) Homepage
    That SAN's report actually came out yesterday, the 7th, probably when the article was submitted ... and ISC uses UTC time for their postings. There's an update the next day [sans.org] (today as I write this) where ISC returns the status to Green because they understand the DNS Poisoning problem and have recommendations for people to protect themselves - although it's still an issue.

    Ironically, that same update describes Comcast's nationwide problems that started last night (US Time) and says it was caused by an equipment upgrade and not related to the DNS Cache poisoning. BUT, the problem was not network connectivity, but the DHCP's DNS Servers became unavailable. Read more at DSLReports [dslreports.com] and (from first hand experience), the work-around was fairly easy which was to manually specify the DNS server, rather than use the DHCP'd one. Comcast says [comcast.net] it was resolved about two hours ago - scroll down to the bottom of the page.

    • Thanks for the information on ComCast.

      I saw DNS failures clicking on an apple.slashdot.org link yesterday evening. It too me all of 2 minutes to switch my local dhcp-provided dns information over to an already-running djbdns dnscache sitting on my fileserver. I just recently switched away from using dnscache, hoping to simplify the home network, of course, as soon as I do it, my ISP hoses their DNS.
    • Comcast has had numerous issues with virus hitting their servers. Basically, every time that major new virus comes out, comcast gets hit; Big. They forced even the ATT/TCI unix servers over to Windows (in spite of much higher costs), so that the entire network takes it in the short.
      • Glad my suspicions were correct last night. Took forever to access a domain by URL, but once accessed, it seemed fine. And yeah, it's definitely been fixed longer than two hours, as it seemed to have been corrected earlier this morning when I checked.

        Didn't know their DNS servers were so centralized.

        Unfortunately Comcast is the only cable provider in town, and I had already become dissatisfied with local DSL offerings.

  • dnsmasq is vulnerable too (Score:5, Informative)

    by Ktistec Machine (159201) on Friday April 08 2005, @12:35PM (#12177965)
    ...at least, according to this link [lwn.net] from the lwn.net security page.

  • Y'know, people keep telling me (Score:5, Insightful)

    by Anonymous Coward on Friday April 08 2005, @12:38PM (#12177999)
    "If you don't like windows don't use it"

    Or then telling me, when they find out I don't use it, that I've somehow forfeited the right to complain about it anymore; or trying to hold Microsoft blameless for their security holes because the people who run Microsoft software do so by "choice" so its the users own fault, and they are just hurting themselves.

    But then I keep finding that despite not using Microsoft software, I get negatively impacted by it anyway. Because the Code Red slaves on the network are bombarding me with a constant light DOS looking for that index server or whatever. Because I get bombarded with email viruses and spam from zombie PCs which, while harmless to me, make my email account less useful. Because my DNS server is running Windows.

    Lovely.

    So, look at this. I am being materially negatively impacted by a company whose products I don't even buy. How, exactly, is the invisible hand of the market going to help with this?
    • So, look at this. I am being materially negatively impacted by a company whose products I don't even buy. How, exactly, is the invisible hand of the market going to help with this?

      You need to use a visible hand to get the invisible hand to work. Put together and win a class action suit, cost them lots of money. Then the price of Windows will go up, and fewer people will use it.

    • Get off the network (Score:4, Insightful)

      by jeffmeden (135043) on Friday April 08 2005, @12:59PM (#12178228) Homepage Journal
      If we were really dealing with an ideal 'invisible hand' at work, the smart, money-saving people would leave 'the' internet and start their own security-required network, which would quickly become the larger network and regain the distinction as 'the' internet, thereby forcing everyone on the 'old' internet to get secure in order to join up. But that doesn't happen, does it. Sadly, the invisible hand is only good at two things, truly open marketplaces, and giving you the finger.

    • Mod Parent Up (Score:5, Informative)

      by Daedala (819156) on Friday April 08 2005, @01:00PM (#12178234)
      It's an externality. [schneier.com] The invisible hand of the market isn't going to fix things for you
    • Did you bother to read the SANS report? Windows 2000 Sp3+ and Windows Server 2003 DNS servers are NOT affected by this attack. YOu ain't running a 4 year old version of Linux, Unix or MacOS X are you?

    • Re:Y'know, people keep telling me (Score:4, Insightful)

      by wren337 (182018) on Friday April 08 2005, @01:39PM (#12178686) Homepage

      The invisible hand of the market has never been any good at managing companies who damage their environment, wether it be pollution, overfishing, or zombie PCs spewing out packets. That's why we balance capitalism with rules and regulations.

  • Last night... (Score:5, Informative)

    by bhsx (458600) on Friday April 08 2005, @12:40PM (#12178023)
    Last night I couldn't reach google, comcast.net (my GF's email[although I warn her everyday about relying on ISP-based email{lock-in and all that...}]), yahoo, and a number of other sites. Strangely, Happypenguin, slashdot and sourceforge all worked just fine. I figured it must have been dns issues and kind of assumed it was this poisonning that's been happenning. Needless to say, it was annoying as hell. Add to that; 800-comcast and 888-comcast were giving fast busy signals, so their call center was being DDOS'd by a swarm of angry customers.
  • Could it be coincidence that Comcast is currently experiencing DNS issues? [slashdot.org] Probably.. but it makes me wonder.

  • From the Internet storm-in-a-teacup dept... (Score:5, Informative)

    by Eyeball97 (816684) on Friday April 08 2005, @12:53PM (#12178167) Homepage

    From the article:

    "On Windows 2000 SP3 and above, the DNS server DOES protect against DNS cache pollution by default. The registry key to protect against the poisoning is not necessary: the value is TRUE if the registry key does not exist"

    In other words, many or most 2000 installations should be secure against pollution if their admins posess the slightest clue.

    "Windows DNS --> forwarding to BIND4 or BIND8. Windows DNS server assumes that BIND scrubs out the poisoning attempt. BIND4 and BIND8 do NOT appear to scrub the attack. Windows DNS trusts the data and the Windows DNS cache will become poisoned."

    So much for "only affects MS servers" although the article does mention, and plays down ("ancient versions") the bind4/8 vulnerabilities.
    I'm left wondering how many admins have their dns servers in forwarding mode, and how many of those are forwarding to bind4/8 servers? Very few, I'd think.

    It's important to note, from what I've understood of it so far, that this exploit only affects the "MS server forwarding it's requests to a bind4/8 server" scenario which I would think, would be a pretty negligible number of DNS servers?!

    Another interesting thing that caught my eye, was "On Windows 2000, you should manage the DNS cache protection security setting through the DNS Management Console. On Windows 2000 below SP3, the "Secure cache against pollution" is not the default so you should enable it using the DNS Management Console.
    An admin who didn't already do this is dumb beyond belief, hardly a MS problem! Blaming it on MS is akin to blaming Ford if you forget to lock the door on your car. If you're a DNS admin and didn't think to check your configuration for this very old vulnerability it's time you hung up your admin hat!

    For the record, I'm no more a fan of Windows than I am of *nix - but how much you wanna bet this post'll raise 80% MS bashing comments, 10% "funny" comments, and maybe 10% useful DNS Admin comments?

    • Re:From the Internet storm-in-a-teacup dept... (Score:5, Insightful)

      by AK Marc (707885) on Friday April 08 2005, @01:08PM (#12178313)
      Blaming it on MS is akin to blaming Ford if you forget to lock the door on your car.

      Nah, It'd be like blaming Ford if they sold all cars without oil in them and had, on page 545 of the 2000 page manual, directions to add oil before use.

      Sure, they tell you and it is documented, but you shouldn't have the server install insecurely by default. The default should be secure, and then you need to enable the services you need. Less user friendly, more secure - that is why it isn't adopted by MS. They made a conscious decision to make it insecure (but easier to use). That is why MS bashing is justified.

      • Re:From the Internet storm-in-a-teacup dept... (Score:2, Informative)

        by Anonymous Coward
        Except you are wrong. Go back and re-read the article.

        WRT DNS poisoning, Windows DNS servers have been secure by default since Windows 2000 SP3. The only vulnerability exists if they are getting already poisoned data from a vulnerable server (BIND4/8) used as a forwarder.

    • Re:From the Internet storm-in-a-teacup dept... (Score:2, Informative)

      by Anonymous Coward
      "In other words, many or most 2000 installations should be secure against pollution if their admins posess the slightest clue."

      Actually, no clue needed. Win2k DNS server has since SP3 made this the default setting. Win2003 DNS server also makes this the default setting.

      So, zero action is required by Windows DNS admins, unless for some reason they are running Win2k pre-SP3, or NT4. Even with these older versions of the OS, a single setting change secures the box from DNS poisoning.

  • DNS poisoning? (Score:3, Funny)

    by Nom du Keyboard (633989) on Friday April 08 2005, @12:56PM (#12178203)
    DNS poisoning?
    What DNS poisoning?
    Isn't this www.NerdsMeetingExcitingGirlsOnLine.org?

  • link with explanations (Score:4, Informative)

    by Anonymous Coward on Friday April 08 2005, @01:02PM (#12178262)
    Here is a good explanation at security focus

    http://www.securityfocus.com/guest/17905 [securityfocus.com]

  • Additional Bind 9 security (Score:3, Informative)

    by Anonymous Coward on Friday April 08 2005, @01:05PM (#12178276)
    Even if you are already running Bind 9, you should consider reading Rob Thomas' Secure BIND Template [cymru.com] for how to best configure bind.
  • Why is anyone still using Bind 4? Is there any justifiable reason for doing so other than sheer stupidity or laziness?
        • On Windows it's *select* not *deselect*

          Windows is insecure by default. Also that option isn't obvious at all.

          There are other reasons I won't use Windows DNS but this doesn't help...

  • When will the world learn to stop using BIND?
    • I'm a comcast customer, and fucked with my linux router for about an hour last night trying to figure out what the blue hell was going on.

      It has a habit of just shitting out every time my dhcp lease expires, rather than refreshing it and moving on with life, so I figured that was it, or perhaps dnsmasq (which I use to proxy for my lan) got fubared.

      Eventually I just plugged my cablemodem into a windows box, since they "just work" without fighting a bunch of resolv.conf or /etc/conf.d crap, and it had the s
      • They could have had their dhcp servers send out, at least temporarily, a good upstream DNS server, rather than piss off umpteen billion customers.

        There is no such thing as a "good upstream DNS server". There are authoritative DNS servers and there are DNS caches (also called resolvers). The root DNS servers are authoritative only. You cannot use them to resolve DNS queries.

        If you want to resolve queries you need to run a DNS cache, use your ISP's, or use one somewhere else that someone left open. Run

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.