Watch it: Multiple DNS implementationsvulnerableto cachepoisoning

Jason Ede J.Ede at birchenallhowden.co.uk
Fri Jul 11 07:54:30 IST 2008 

Does anyone know if there are any patches available for this for FC7 or do I just need to download and compile a new version of bind?

Jason


From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Randal, Phil
Sent: 10 July 2008 23:53
To: MailScanner discussion
Subject: RE: Watch it: Multiple DNS implementationsvulnerableto cachepoisoning

It looks like this vulnerability is rather serious:

http://securosis.com/2008/07/09/more-on-the-dns-vulnerability/

RedHat has released updated packages for RedHat 5.x:

http://rhn.redhat.com/errata/RHSA-2008-0533.html

"[Updated 10th July 2008]
We have updated the Enterprise Linux 5 packages in this advisory. The
default and sample caching-nameserver configuration files have been updated
so that they do not specify a fixed query-source port. Administrators
wishing to take advantage of randomized UDP source ports should check their
configuration file to ensure they have not specified fixed query-source ports."

Hooray!

I've posted comments on Dan Kaminsky's blog and elsewhere drawing people's attention to the need to check BIND config files.

Cheers,

Phil

________________________________
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Randal, Phil
Sent: 10 July 2008 13:21
To: MailScanner discussion
Subject: RE: Watch it: Multiple DNS implementationsvulnerableto cachepoisoning
query-source defines the IP address (IPv4 or IPv6) and optional port to be used as the source for outgoing queries from the server.

The default is a random unprivileged port.

There may, of course, be over-zealous firewall rules (or SELinux policies) which mistakenly insist that the source and destination ports are both 53, but that's plain wrong.

And dangerous.

Cheers,

Phil

--
Phil Randal
Networks Engineer
Herefordshire Council
Hereford, UK


________________________________
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Peter Farrow
Sent: 10 July 2008 13:07
To: MailScanner discussion
Subject: Re: Watch it: Multiple DNS implementations vulnerableto cachepoisoning
If you're running a public DNS server or a DNS server for your LAN clients then these lines are an extremely good idea...

P.


Randal, Phil wrote:

Have you made sure that in named.conf there are no



  query-source    port 53;

  query-source-v6 port 53;



lines?



Cheers,



Phil



--

Phil Randal

Networks Engineer

Herefordshire Council

Hereford, UK



-----Original Message-----

From: mailscanner-bounces at lists.mailscanner.info<mailto:mailscanner-bounces at lists.mailscanner.info>

[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jason

Ede

Sent: 10 July 2008 11:15

To: MailScanner discussion

Subject: RE: Watch it: Multiple DNS implementations vulnerable to

cachepoisoning



I've patched some servers and they're showing good, but on one behind a

firewall its still showing as poor despite the update being run... Its

running Centos5.1



Jason







-----Original Message-----

From: mailscanner-bounces at lists.mailscanner.info<mailto:mailscanner-bounces at lists.mailscanner.info> [mailto:mailscanner-

bounces at lists.mailscanner.info<mailto:bounces at lists.mailscanner.info>] On Behalf Of shuttlebox

Sent: 10 July 2008 09:42

To: MailScanner discussion

Subject: Re: Watch it: Multiple DNS implementations vulnerable to

cache poisoning



On Thu, Jul 10, 2008 at 3:54 AM, Ken A <ka at pacific.net><mailto:ka at pacific.net> wrote:



They are probably not random enough. You can look at them with



netstat or



lsof -i



OK, it's the standard deviation that is key to the result. Unique

ports but all in a row for example is of course not good.



I have now patched one server and it shows GOOD with a high std dev.



/peter

--

Robert Benchley  - "Drawing on my fine command of the English

language, I said nothing."

--

MailScanner mailing list

mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>

http://lists.mailscanner.info/mailman/listinfo/mailscanner



Before posting, read http://wiki.mailscanner.info/posting



Support MailScanner development - buy the book off the website!



--

MailScanner mailing list

mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>

http://lists.mailscanner.info/mailman/listinfo/mailscanner



Before posting, read http://wiki.mailscanner.info/posting



Support MailScanner development - buy the book off the website!

--

MailScanner mailing list

mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>

http://lists.mailscanner.info/mailman/listinfo/mailscanner



Before posting, read http://wiki.mailscanner.info/posting



Support MailScanner development - buy the book off the website!





--
This message has been scanned for viruses and
dangerous content by the Inexcom<http://www.inexcom.co.uk/> system scanner,
and is believed to be clean.
Advanced heuristic mail scanning server [-].
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080711/8de023b7/attachment.html

More information about the MailScanner mailing list