Watch it: Multiple DNS implementationsvulnerableto cachepoisoning

Randal, Phil prandal at herefordshire.gov.uk
Thu Jul 10 23:52:55 IST 2008 

It looks like this vulnerability is rather serious:
 
http://securosis.com/2008/07/09/more-on-the-dns-vulnerability/
<http://securosis.com/2008/07/09/more-on-the-dns-vulnerability/> 
 
RedHat has released updated packages for RedHat 5.x:
 
http://rhn.redhat.com/errata/RHSA-2008-0533.html
 
"[Updated 10th July 2008]
We have updated the Enterprise Linux 5 packages in this advisory. The
default and sample caching-nameserver configuration files have been
updated
so that they do not specify a fixed query-source port. Administrators
wishing to take advantage of randomized UDP source ports should check
their
configuration file to ensure they have not specified fixed query-source
ports."
 
Hooray!
 
I've posted comments on Dan Kaminsky's blog and elsewhere drawing
people's attention to the need to check BIND config files.
 
Cheers,
 
Phil


________________________________

From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Randal,
Phil
Sent: 10 July 2008 13:21
To: MailScanner discussion
Subject: RE: Watch it: Multiple DNS implementationsvulnerableto
cachepoisoning


query-source defines the IP address (IPv4 or IPv6) and optional port to
be used as the source for outgoing queries from the server.
 
The default is a random unprivileged port.
 
There may, of course, be over-zealous firewall rules (or SELinux
policies) which mistakenly insist that the source and destination ports
are both 53, but that's plain wrong.
 
And dangerous.
 
Cheers,
 
Phil

-- 
Phil Randal 
Networks Engineer 
Herefordshire Council 
Hereford, UK 

 

________________________________

From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Peter
Farrow
Sent: 10 July 2008 13:07
To: MailScanner discussion
Subject: Re: Watch it: Multiple DNS implementations vulnerableto
cachepoisoning


If you're running a public DNS server or a DNS server for your LAN
clients then these lines are an extremely good idea...

P.


Randal, Phil wrote: 

	Have you made sure that in named.conf there are no
	
	  query-source    port 53;	
	  query-source-v6 port 53;
	
	lines?
	
	Cheers,
	
	Phil
	
	--
	Phil Randal
	Networks Engineer
	Herefordshire Council
	Hereford, UK
	
	-----Original Message-----
	From: mailscanner-bounces at lists.mailscanner.info
	[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
Jason
	Ede
	Sent: 10 July 2008 11:15
	To: MailScanner discussion
	Subject: RE: Watch it: Multiple DNS implementations vulnerable
to
	cachepoisoning
	
	I've patched some servers and they're showing good, but on one
behind a
	firewall its still showing as poor despite the update being
run... Its
	running Centos5.1
	
	Jason
	
	
	  

		-----Original Message-----
		From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner- 
		bounces at lists.mailscanner.info] On Behalf Of shuttlebox
		Sent: 10 July 2008 09:42
		To: MailScanner discussion
		Subject: Re: Watch it: Multiple DNS implementations
vulnerable to 
		cache poisoning
		
		On Thu, Jul 10, 2008 at 3:54 AM, Ken A <ka at pacific.net>
<mailto:ka at pacific.net>  wrote:
		    

			They are probably not random enough. You can
look at them with
			      

		netstat or
		    

			lsof -i
			      

		OK, it's the standard deviation that is key to the
result. Unique 
		ports but all in a row for example is of course not
good.
		
		I have now patched one server and it shows GOOD with a
high std dev.
		
		/peter
		--
		Robert Benchley  - "Drawing on my fine command of the
English 
		language, I said nothing."
		--
		MailScanner mailing list
		mailscanner at lists.mailscanner.info
	
http://lists.mailscanner.info/mailman/listinfo/mailscanner
		
		Before posting, read
http://wiki.mailscanner.info/posting
		
		Support MailScanner development - buy the book off the
website!
		    

	--
	MailScanner mailing list
	mailscanner at lists.mailscanner.info
	http://lists.mailscanner.info/mailman/listinfo/mailscanner
	
	Before posting, read http://wiki.mailscanner.info/posting
	
	Support MailScanner development - buy the book off the website! 
	--
	MailScanner mailing list
	mailscanner at lists.mailscanner.info
	http://lists.mailscanner.info/mailman/listinfo/mailscanner
	
	Before posting, read http://wiki.mailscanner.info/posting
	
	Support MailScanner development - buy the book off the website!
	
	  


-- 
This message has been scanned for viruses and 
dangerous content by the Inexcom <http://www.inexcom.co.uk/>  system
scanner, 
and is believed to be clean. 
Advanced heuristic mail scanning server [-]. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080710/aa0e5b12/attachment-0001.html

More information about the MailScanner mailing list