Watch it: Multiple DNS implementationsvulnerableto cachepoisoning

Peter Farrow peter at farrows.org
Fri Jul 11 09:07:40 IST 2008 

Interestingly,

You can't actually escape this problem/vulnerability, you can only 
reduce the chances of  it happening to a level where is not practical to 
attempt on the basis of success.

The chances are determined by the number of tcp ports available.

P.



Jason Ede wrote:
>
> Does anyone know if there are any patches available for this for FC7 
> or do I just need to download and compile a new version of bind?
>
>  
>
> Jason
>
>  
>
>  
>
> *From:* mailscanner-bounces at lists.mailscanner.info 
> [mailto:mailscanner-bounces at lists.mailscanner.info] *On Behalf Of 
> *Randal, Phil
> *Sent:* 10 July 2008 23:53
> *To:* MailScanner discussion
> *Subject:* RE: Watch it: Multiple DNS implementationsvulnerableto 
> cachepoisoning
>
>  
>
> It looks like this vulnerability is rather serious:
>
>  
>
> http://securosis.com/2008/07/09/more-on-the-dns-vulnerability/
>
>  
>
> RedHat has released updated packages for RedHat 5.x:
>
>  
>
> http://rhn.redhat.com/errata/RHSA-2008-0533.html
>
>  
>
> "[Updated 10th July 2008]
> We have updated the Enterprise Linux 5 packages in this advisory. The
> default and sample caching-nameserver configuration files have been 
> updated
> so that they do not specify a fixed query-source port. Administrators
> wishing to take advantage of randomized UDP source ports should check 
> their
> configuration file to ensure they have not specified fixed 
> query-source ports."
>
>  
>
> Hooray!
>
>  
>
> I've posted comments on Dan Kaminsky's blog and elsewhere drawing 
> people's attention to the need to check BIND config files.
>
>  
>
> Cheers,
>
>  
>
> Phil
>
>  
>
> ------------------------------------------------------------------------
>
> *From:* mailscanner-bounces at lists.mailscanner.info 
> [mailto:mailscanner-bounces at lists.mailscanner.info] *On Behalf Of 
> *Randal, Phil
> *Sent:* 10 July 2008 13:21
> *To:* MailScanner discussion
> *Subject:* RE: Watch it: Multiple DNS implementationsvulnerableto 
> cachepoisoning
>
> query-source defines the IP address (IPv4 or IPv6) and optional port 
> to be used as the source for *outgoing* queries from the server.
>
>  
>
> The default is a random unprivileged port.
>
>  
>
> There may, of course, be over-zealous firewall rules (or SELinux 
> policies) which mistakenly insist that the source and destination 
> ports are both 53, but that's plain wrong.
>
>  
>
> And dangerous.
>
>  
>
> Cheers,
>
>  
>
> Phil
>
> -- 
> Phil Randal
> Networks Engineer
> Herefordshire Council
> Hereford, UK
>
>  
>
>  
>
> ------------------------------------------------------------------------
>
> *From:* mailscanner-bounces at lists.mailscanner.info 
> [mailto:mailscanner-bounces at lists.mailscanner.info] *On Behalf Of 
> *Peter Farrow
> *Sent:* 10 July 2008 13:07
> *To:* MailScanner discussion
> *Subject:* Re: Watch it: Multiple DNS implementations vulnerableto 
> cachepoisoning
>
> If you're running a public DNS server or a DNS server for your LAN 
> clients then these lines are an extremely good idea...
>
> P.
>
>
> Randal, Phil wrote:
>
> Have you made sure that in named.conf there are no
>  
>   query-source    port 53;    
>   query-source-v6 port 53;
>  
> lines?
>  
> Cheers,
>  
> Phil
>  
> --
> Phil Randal
> Networks Engineer
> Herefordshire Council
> Hereford, UK
>  
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info <mailto:mailscanner-bounces at lists.mailscanner.info>
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jason
> Ede
> Sent: 10 July 2008 11:15
> To: MailScanner discussion
> Subject: RE: Watch it: Multiple DNS implementations vulnerable to
> cachepoisoning
>  
> I've patched some servers and they're showing good, but on one behind a
> firewall its still showing as poor despite the update being run... Its
> running Centos5.1
>  
> Jason
>  
>  
>   
>
>     -----Original Message-----
>
>     From: mailscanner-bounces at lists.mailscanner.info <mailto:mailscanner-bounces at lists.mailscanner.info> [mailto:mailscanner- 
>
>     bounces at lists.mailscanner.info <mailto:bounces at lists.mailscanner.info>] On Behalf Of shuttlebox
>
>     Sent: 10 July 2008 09:42
>
>     To: MailScanner discussion
>
>     Subject: Re: Watch it: Multiple DNS implementations vulnerable to 
>
>     cache poisoning
>
>      
>
>     On Thu, Jul 10, 2008 at 3:54 AM, Ken A <ka at pacific.net> <mailto:ka at pacific.net> wrote:
>
>         
>
>         They are probably not random enough. You can look at them with
>
>               
>
>     netstat or
>
>         
>
>         lsof -i
>
>               
>
>     OK, it's the standard deviation that is key to the result. Unique 
>
>     ports but all in a row for example is of course not good.
>
>      
>
>     I have now patched one server and it shows GOOD with a high std dev.
>
>      
>
>     /peter
>
>     --
>
>     Robert Benchley  - "Drawing on my fine command of the English 
>
>     language, I said nothing."
>
>     --
>
>     MailScanner mailing list
>
>     mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info>
>
>     http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>      
>
>     Before posting, read http://wiki.mailscanner.info/posting
>
>      
>
>     Support MailScanner development - buy the book off the website!
>
>         
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info>
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>  
> Before posting, read http://wiki.mailscanner.info/posting
>  
> Support MailScanner development - buy the book off the website! 
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info>
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>  
> Before posting, read http://wiki.mailscanner.info/posting
>  
> Support MailScanner development - buy the book off the website!
>  
>   
>
>
> -- 
> This message has been scanned for viruses and
> dangerous content by the *Inexcom* <http://www.inexcom.co.uk/> system 
> scanner,
> and is believed to be clean.
> Advanced heuristic mail scanning server [-].
>
>
> -- 
> This message has been scanned for viruses and
> dangerous content by the *Inexcom* <http://www.inexcom.co.uk/> system 
> scanner,
> and is believed to be clean.
> Advanced heuristic mail scanning server [0]. 

-- 
This message has been scanned for viruses and
dangerous content by the Inexcom system Scanner,
and is believed to be clean.
Advanced heuristic mail scanning server [-].
http://www.inexcom.co.uk

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080711/b08c674f/attachment.html

More information about the MailScanner mailing list