Forgot your password?
typodupeerror
Security Bug The Internet

Patch DNS Servers Faster 145

Posted by kdawson
from the hard-times-coming dept.
51mon writes "Austrian CERT used data from one of their authoritative DNS server to measure the rate at which the latest DNS patch (source port randomization) is being rolled out to larger recursive name servers. While about half the traffic (PDF) they receive is now using source port randomization, their data suggest that this is due to ISPs who roll out such fixes immediately. The rate of patching has fallen to disappointingly low levels since. If your ISP isn't patched, perhaps it is time to switch." After details of the DNS vulnerability leaked, researchers |)ruid and HD Moore released attack code; ZDNet's security blog has an analysis.
This discussion has been archived. No new comments can be posted.

Patch DNS Servers Faster

Comments Filter:
  • by masdog (794316) <masdog@gm[ ].com ['ail' in gap]> on Friday July 25, 2008 @10:43AM (#24335001)
    You don't need to switch to a new ISP if they haven't patched yet - just switch to a new DNS server such as OpenDNS.
    • How would one potentially do something like this? Is it a setting inside the modem or router's firmware?
      • Re: (Score:3, Informative)

        by Jellybob (597204)

        It'll either be a setting on your router, or if your directly connected to the modem, you'll need to change it on the network settings on your computer.

      • by masdog (794316) <masdog@gm[ ].com ['ail' in gap]> on Friday July 25, 2008 @10:54AM (#24335205)

        You can change this in your DHCP or IP configuration settings on your home router or PC. On my home network, for instance, my DD-WRT router isn't running a DNS server on it, and the DHCP static DNS settings are set for my Server 2008 box and the two OpenDNS resolvers. My Server 2008 box also has its forwarders set to OpenDNS.

        That's probably more complicated than it needs to be, but better safe than sorry.

        On Windows XP, 2000, and I think Vista, you can tell Windows to ignore the DNS server settings provided by DHCP by going into the IP properties for the connection and hard coding in the IP addresses under Local Area Connection Properties > Internet Protocol Properties > Use the Following DNS Server Addresses.

        This can also be done under linux, but I don't know the particular commands for it.

        • This can also be done under linux, but I don't know the particular commands for it.

          I imagine it would vary somewhat between distros, but netconfig (requires root) seems to be pretty much the standard way of doing it.

          • Re: (Score:3, Informative)

            by gunnk (463227)
            In Ubuntu, the network icon in the upper-right corner of your screen will take you to your network settings. You can change the DNS servers there.

            I put OpenDNS right in my router configuration so it applies to my whole house. The other big benefit is that I block doubleclick whose ads always seem to make pages so slow to load. You also get some scam and phishing protection.
          • Re: (Score:2, Informative)

            by DavidSev (1108917)

            I have no idea what netconfig is meant to do, but it doesn't exist on my computer. /etc/resolv.conf is the standard way of doing it.

        • by Anonymous Coward on Friday July 25, 2008 @11:09AM (#24335519)

          I had been using OpenDNS. I stopped when I realized they were monitoring my traffic. When I go to Google, they were returning their own Google-like page, to which my browser would submit the query, and then redirect me to Google.

          I stopped using them after that discovery.

          • Re: (Score:1, Informative)

            by Anonymous Coward

            I had been using OpenDNS. I stopped when I realized they were monitoring my traffic. When I go to Google, they were returning their own Google-like page, to which my browser would submit the query, and then redirect me to Google.

            They claim they're doing this for your own good, or for the good of Dell users at least, to stop some Google / Dell conspiracy. Details [opendns.com].

          • If you get your queries redirected you either have a virus or you have mistyped Google.
            • No. OpenDNS does actually do this. You can turn it off by making an account, however. I despise it, but don't know of a better choice, since my ISP pulls the same bullshit, with no option to turn it off.
          • Re: (Score:3, Informative)

            I had been using OpenDNS. I stopped when I realized they were monitoring my traffic. When I go to Google, they were returning their own Google-like page, to which my browser would submit the query, and then redirect me to Google.

            I stopped using them after that discovery.

            Your claim that OpenDNS is "monitoring your traffic" is misleading.

            If you ping www.google.com it pings google.navigation.opendns.com (208.67.219.231). You still get the standard Google homepage and search results when you go to http://www.google.com/ [google.com] however. The odd DNS resolution for www.google.com is apparently because some software such as the Google Toolbar bypasses DNS requests, which breaks some of OpenDNS's features. (More on this below.) One apparent advantage of OpenDNS doing this is that it help

          • by gnuman99 (746007)

            That is why using ANY DNS service is a really, really bad idea. You want to have proper answers, run your own recursive name server and don't use forwards you don't trust, go to root zones directly. Every respective geek should be running that anyway. It is just so much more flexible and *faster* than trying to use ISP's DNS.

            And if this creates a problem for the root servers being hit too much, well too bad. Domain owners are paying through the nose for the ICANN fees and the registrar fees and everything e

        • >>my DD-WRT router isn't running a DNS server on it, and the DHCP static DNS settings are set for my Server 2008 box

          You are using NAT right? This doesn't protect you any more as your NAT router is still listening for those UDP 53 replies and forwarding them onto your 2008 server. So the same thing could occur.

          However, if you've put Microsoft's patch for this on your 2008 server then yes, you are protected.

          This is a nasty thing.

          Switching to OpenDNS is kinda of ironic. To protect myself from someone

    • by A beautiful mind (821714) on Friday July 25, 2008 @10:55AM (#24335231)
      I digress. If an ISP didn't patch yet, it means they are incompetent. When the Debian SSL vulnerability was discovered, I sent two emails out, one to my server hosting company and one to my phone company. The server hosting company replaced their ssl cert within a day, the phone company took 4 months, meanwhile their online user gateway was open to sniffing.

      I ditched the phone company when my email didn't get a reply in a week.
      • by Darkk (1296127)

        Problem with certs and anything that impacts their servers aren't quick to apply the patch no matter how critical it is. The patches have to be tested, re-tested and tested again to be sure it won't have a adverse impact on their service to the customers.

        Some are quick to apply the patches in a day while others will take weeks or even months depending on the size of their infrastructure and size of the staff to test the patches.

        Switching phone companies is your choice but I think they wanted to make sure t

        • It was an ssl cert, not a patch they had to exchange. Their ssl cert was compromised for months. Unacceptable.
          • And their ssl certificates are used between computers that need to communicate each others. If one doesn't get the update that the other has changed of certificate you can go in the wall. And If you have hundred, thousands of such computers that need to talk to each other, you can imagine the nightmare.

    • DNS became slower (Score:3, Interesting)

      by sucker_muts (776572)
      Here in Belgium, I use Scarlet as my ISP.

      It seems that dns queries have become much slower. With opera I can see what urls are being requested (main page, images/flash or ads).I can see that for every new page the first thing opera does is doing the dns queries for all the urls. And this has become very slow from time to time.

      I've read somewhere that the randomization really slows down bind, but that the team is working on a patch to solve that.
      (I also don't understand why opera need to execute dns queri
      • Re: (Score:3, Interesting)

        by Lennie (16154)

        If it has become slower, they are probably using bind9, because it's quick fix. After they've known for 6 months, all they could release was a quick fix. Even though the author/organsation that created/maintainces bind knew about possible problems somewhere in the preview century. I'm sorry, but I've stopped using their software as much as possible.

    • by Atari400 (1174925)
      You might want to investigate https://www.opendns.com/start [opendns.com] for what you actually need to do. I use OpenDNS when I am not running in 'tor' mode.
    • by Woy (606550) on Friday July 25, 2008 @11:23AM (#24335731)

      I used OpenDNS and gave it up because it replaced firefox's feature to search google with what you type on the address bar with its own crappy search.

      • by nabsltd (1313397)

        You can fix this by changing the setting for keyword.URL [mozillazine.org] in about:config back to a Google search.

    • by Ciarang (967337) on Friday July 25, 2008 @11:25AM (#24335773)
      It always surprises me how much love there seems to be for OpenDNS on /.

      A DNS server returns you a result, or tells you that it can't resolve the domain. Instead of doing the latter, OpenDNS redirects you somewhere you didn't intend to go and attempts to hit you with some advertising. That seems more like typosquatting to me, although admittedly it's with your permission.
    • OpenDNS returns their own search page for bad lookups, rather than NXDOMAIN, breaking various things. They also send queries for www.google.com to their own server. (I wrote about this recently.) [livejournal.com]
    • >>You don't need to switch to a new ISP if they haven't patched yet - just switch to a new DNS server such as OpenDNS.

      Is this really true?

      From what I gather this doesn't solve the problem, just makes it a little more difficult. Correct me if my understanding is wrong.

      Your router still uses default of 53 -> OpenDns -> public on random port.

      UDP

      You still listen on 53, so the hacker can spoof the response as though it's from OpenDNS's two IP's and send that straight to your router on port 53.

      Am I w

    • Re: (Score:3, Informative)

      by maztuhblastah (745586)

      You don't need to switch to a new ISP if they haven't patched yet - just switch to a new DNS server such as OpenDNS.

      Please don't do that.

      I don't think OpenDNS is a terribly good idea, and here's why:

      They actively screw with the records and return incorrect information. Now you can argue that they do it for "OK" reasons, and indeed, OpenDNS does exactly this in their marketing materials, but the fact remains: they answer some queries with information that is in conflict with the authoritative nameservers.

      Personally, I don't trust any DNS provider that does this, and I don't think it's a good idea for anyone to do so.

      Use

    • by Niten (201835)

      No, do NOT switch to OpenDNS:

      1. It breaks the DNS spec by not returning NXDOMAIN for non-existent domains. This may interfere with using DNS blacklists, etc.
      2. It redirects your Google traffic through OpenDNS's own servers, which should raise a million red flags.

      Yes, switch to a DNS provider that provides source port randomization, if your ISP's DNS servers do not. But no, don't switch to an untrustworthy one out of desperation.

    • primary: 4.2.2.1 secondary: 4.2.2.2

      YMMV, but I found it much faster (in terms of pageloads) than OpenDNS's.
      • by Wingnut64 (446382)

        The same here (.3 and .4 are also DNS servers). Far more reliable then my ISP, and lower latency to boot. Sadly, I just checked and they don't seem to be randomizing the source ports...

      • by macdaddy (38372)
        This is only a very short-term fix. L3 has already said that they will block non-customer access to their recursive name servers. They should have done it years ago and didn't.
  • Am I safe? (Score:1, Insightful)

    by Anonymous Coward

    How can I know if my ISP has patched its DNS servers?

  • Monopoly (Score:5, Insightful)

    by Anonymous Coward on Friday July 25, 2008 @10:48AM (#24335095)

    If your ISP isn't patched, perhaps it is time to switch.

    My ISP has a monopoly over internet services in my area you insensitive clod.

  • by Anonymous Coward

    Fortunately my domain name is not recursive therefore I am safe.

  • Don't we already all have our own patched DNS servers at home?
    • by Lennie (16154)

      Don't trust them if yours is behind a simple DSL-router with NAT. The NAT may defeat any randomisation you might have.

      • by gnuman99 (746007)

        Behind Linux NAT
        ===============

        $ dig +short porttest.dns-oarc.net TXT
        z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
        "aaa.bbb.ccc.ddd is GOOD: 26 queries in 2.2 seconds from 26 ports with std dev 20143.31"

        Clean, without NAT
        ==================

        z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
        "123.123.123.123 is GOOD: 26 queries in 1.3 seconds from 26 ports with std dev 17930.62"

        Conclusion
        ==========

        So, your comment is not quite correct.

        • by Lennie (16154)

          I said _may_ default any randomisation and I said simple DSL-router, Linux is not such a thing.

      • by mortonda (5175)
        Which is why you should test it [dns-oarc.net]
  • time to switch? (Score:4, Insightful)

    by Dunbal (464142) on Friday July 25, 2008 @10:58AM (#24335309)

    If your ISP isn't patched, perhaps it is time to switch.

          Thanks to the "free market economy" in my capitalist country I can't switch, you insensitive clod!

    • At first, you were probably free to choose between a 1 year contract for x$ per month, and no contract for x$+10$ per month. Yes, it's capitalist, but you were free at first, and you have told yourself "nah, I'm not gonna pay 120$ more for the year just in case I'd like to change ISP..."
      • by Shados (741919)

        No. For many people its more a choice between "Evil ISP XYZ, and Pigeon over IP and/or dial up".

        That said, my ISP enrolled me in a "contract" without ever once mentionning it. (It -is- optional, and I never said I wanted it when I subscribed, and I didn't sign anything, but my bill states that I picked the contract option). Kind of amusing.

        I'm not saying anything now because it is cheaper, I don't care even if I -was- on contract, and they wouldn't last very long in court if I ever changed my mind, but...

  • by BDaniels (13031) on Friday July 25, 2008 @10:59AM (#24335331) Homepage

    We use AT&T (formerly Bellsouth) and their servers are not fixed according to the 'dig +short porttest.dns-oarc.net TXT' test.
    I contacted their NOC about the problem yesterday and got the following reply:

    "Patching for these servers are scheduled to begin next week."

    So, major vulnerability, two weeks advance notice, exploit code released - we'll get around to it later.

    • "Patching for these servers are scheduled to begin next week."

      Or immediately after att.com starts resolving to the IP of goatse.cx ?

  • If your ISP isn't patched, perhaps it is time to switch.

    To whom, exactly?
    Sincerely,
    A US ISP customer.

    • by Nos. (179609)
      Luckily, you can just switch your DNS servers to something like OpenDNS.
  • ISP DNS (Score:2, Insightful)

    Who uses their ISPs DNS servers? Most people probably. Well, I don't trust them. My friends and I run a recursing nameserver that we access over a VPN link.

    ISPs just aren't trustworthy.

  • Oops. (Score:5, Funny)

    by Chameleon Man (1304729) on Friday July 25, 2008 @11:19AM (#24335679)
    I tried to RTFA, but upon clicking the link I was directed to a porn site.
    • by otmar (32000)

      For once, I can check how many people have really RTFA (or at least fetched the .pdf). :-)

      I really didn't expect we'd make slashdot with that report. Well, any exposure help to get people to patch.

  • by foo fighter (151863) on Friday July 25, 2008 @11:22AM (#24335715) Homepage

    These kind of systems are really hard for security guys to get changed.

    It's like updating switch and routing firmware. Most network engineers who know what they're doing and that have been around for awhile have been burned by "simple" or "easy" patches and config changes going tits up.

    When your core network infrastructure goes tits up your phone tends to light up like a christmas tree. (Granted, when your web presence is redirected to porn or a copy that hides an iframe exploiting customers with unpatched browsers, well, you'll maybe get some phone calls.)

    This DNS patch is a case-in-point: Microsoft's fix is rather ham-fisted and broke stuff; the BIND-Users list is full of people troubleshooting ISC's patch.

    Also, many organizations (like mine) are taking this as an opportunity to reengineer their DNS architecture. This is the perfect time to reevaluate using TSIG and DNSSEC if you don't already.

    It has only been just over two weeks since the initial "announcement". The progress so far is really amazing when you consider how big a ship the Internet is.

    • Re: (Score:3, Informative)

      by Lennie (16154)

      It's a perfect time to start using PowerDNS, djbdns or Unbound/NSD as well. :-)

    • Re: (Score:3, Funny)

      by prandal (87280)

      When your core network infrastructure goes tits up your phone tends to light up like a christmas tree.

      Not if it is an IP phone!

  • by Coolhand2120 (1001761) on Friday July 25, 2008 @11:29AM (#24335833)
    Maybe if the patch didn't require that open up all incoming and outgoing UDP ports [securitytracker.com] on the DNS interface I could implement it faster. Seeing how most people use firewalls it makes it really quite a bit more difficult than just "apply the patch".

    NOTE WELL: This update causes BIND to choose a new, random UDP port for each new query; this may cause problems for some network configurations, particularly if firewall(s) block incoming UDP packets on particular ports.

    I'll get this patch applied as soon as I reconfigure my entire network topology.

    • by billcopc (196330) <vrillco@yahoo.com> on Friday July 25, 2008 @11:48AM (#24336149) Homepage

      You can restrict it to a port range... even giving it access to 2048 ports gives you 2^11 randomness, which is still better than 2^0.

      The issue I'm facing, which I find terribly frustrating, is in upgrading older distros. I'm now looking at completely reinstalling a bunch of older BSD servers just to get this idiotic vulnerability resolved, because the maintainers aren't backporting the patch and upgrading BIND itself would be a royal pain. Given how DNS servers tend to run unattended for eons, I suspect this near-sightedness is respnosible to a large degree for the slow patching. It's not that I don't want to patch my servers, it's that I now have to waste a day at the colo doing physical reinstalls. If it weren't for that hitch, I'd be done already!

      • 1. rsync your colo'd server os partition to your in-house test server;
        2. patch your test server;
        3. rsync your test server to your colo'd server.
        4. profit? ;-)

        As your in-house test server should be more-or-less the same as your deployed server the rsync's should take too long.

        Beats babysitting your server in a cold and dark datacenter.

      • by Fweeky (41046)

        I'm now looking at completely reinstalling a bunch of older BSD servers just to get this idiotic vulnerability resolved, because the maintainers aren't backporting the patch and upgrading BIND itself would be a royal pain

        I recently upgraded a bunch of FreeBSD boxes I didn't want to rebuild world on:

        portinstall dns/bind95 && (cat >>/etc/rc.conf <<EOC
        named_program="/usr/local/sbin/named"
        named_flags="/etc/namedb/named.conf"
        EOC
        ) && /etc/rc.d/named restart

        You can configure the port to replace the base bind too, but this is easier to roll back in event of problems. Presumably the situations similar for the other BSD's.

    • Your firewall should keep state of outgoing UDP or TCP connections. And AFAIK BIND and others don't pick a fixed source port, the problem is they reuse it.

      It's one single change on the firewalls, nobody needs to "reconfigure [their] entire network." And should be easier if as most large organizations the DNS servers are on a DMZ.

    • by molo (94384) on Friday July 25, 2008 @12:10PM (#24336489) Journal

      Maybe if the patch didn't require that open up all incoming and outgoing UDP ports [securitytracker.com] on the DNS interface I could implement it faster.

      That is not the case at all. First off, on outbound requests, the destination port is still 53. The _source_ port is what gets randomized. On inbound replies to the randomized port, your stateful firewall will see this as an ESTABLISHED connection and you can safely let it in without blindly opening up the entire UDP port space.

      You _are_ running a stateful firewall, right? Its not 1998 anymore.

      -molo

      • It would not hurt if NATting firewalls randomised all the outgoing ports, not just for DNS but everything else as well; there are prob other protocols that have similar weaknesses.
      • Every network is different. Just because it seems simple to you, does not mean it will be simple for everyone else. A lot of people's customers run hardware far older than 1998 and we the people who are supposed to patch this DNS error have to fix all the DNS servers we are responsible for, not just the easy ones.
    • ... now might be the time to look into stateful firewalls, huh?

      Well, okay, 'stateful', most modern firewalls should be able to fake a stateful connection for UDP.

    • by hairyfeet (841228)
      So if I read the link you posted correctly,what you are saying is all of us that have either older and/or cheapo routers can either just take our chances and hope or run everything on the DMZ? man,that bites! I know I can't afford to throw my router in the trash and most of my customers have little cheapo trendnet/zonenet routers which we all know have a 0.0% chance of getting patched,so I have a feeling there is going to be a LOT of folks bitten in the ass by this. I know I just checked the website for min
  • "Austrian CERT used data from one of their authoritative DNS server to measure the rate at which the latest DNS patch (source port randomization) is being rolled out to larger recursive name servers. While about half the traffic (PDF) they receive is now using source port randomization, their data suggest that this is due to ISPs who roll out such fixes immediately. The rate of patching has fallen to disappointingly low levels since. If your ISP isn't patched, perhaps it is time to switch."

    I posted this a

  • AT&T Wireless isn't patched, according to doxpara.com. I can't exactly just switch carriers for my iPhone, though, and I can't reconfigure the network settings to use a different DNS, either. I guess I'll have a good excuse for browsing porn on it now: "But I typed google, I swear!"
  • by the_olo (160789) on Saturday July 26, 2008 @08:54PM (#24353241) Homepage

    I have an OpenSuSe 10.2 x86_64 machine and have manually upgrade-installed the x86_64 RPMs from the security announcement (http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00003.html [opensuse.org]). Yast2 has some problems due to this release being old and mirrors not available so I did a manual "rpm -Uhv".

    Still, from a traffic dump it seems that on SuSe 10.2 the caching Bind nameserver sends out queries with predictable source ports (incrementing by 1).

    Fedora's patched Bind sends from random ports (didn't run statistical randomness test on them, though).

Vax Vobiscum

Working...