[conspire] DNS vulnerability details

Eric De MUND ead-conspire at ixian.com
Sun Aug 3 17:58:19 PDT 2008 

Hello,

Ok, I believe I've completed phase 1 of 2 of eliminating my DNS vul-
nerability, that of fixing my SOHO network. Phase 2 will be to patch
my debian laptop which travels out into the world. Please educate me
if I've missed anything in phase 1. In particular, given "GREAT" test
results in step d, below, why might I still need to install BIND on any
of the SOHO systems behind my router?

Here at home, in phase 1:

a.  I upgraded the firmware of my Linksys WRT54G v2.2 router to
    "DD-WRT v24-sp1 (07/27/08) std". Though dd-wrt.com noted in [1],
    "We'd like to make clear that the DD-WRT default configuration in
    v23 / v24 is not vulnerable, so there was and is no risk for dd-wrt
    users," their list of overall enhancements for v24 sp1 included, on
    the very first line:
    o   DNS security fix for dnsmasq

b.  I configured my router thus (">>" indicates a change, "[v]"
    indicates a check in a checkbox):

    Router IP
    Local IP Address      10.0.0.1
    Subnet Mask           255.255.255.0
    Gateway               10.0.0.1
>>  Local DNS             208.67.222.222  # resolver1.opendns.com

    Network Address Server Settings (DHCP)
    DHCP Type             DHCP Server
    DHCP Server           (o) Enable  ( ) Disable
    Start IP Address      10.0.0.100
    Maximum DHCP Users    50
    Client Lease Time     1440 minutes
>>  Static DNS 1          208.67.222.222  # resolver1.opendns.com
>>  Static DNS 2          208.67.220.220  # resolver2.opendns.com
    Static DNS 3          0.0.0.0
    WINS                  0.0.0.0
>>  Use DNSMasq for DHCP  [v]             # these checkboxes might have
>>  Use DNSMasq for DNS   [v]             # been selected previously; I
    DHCP-Authoritative    [v]             # can't recall

c.  I did not install BIND on any of the systems behind my router.
    (Yes, a la Monty Python, "There is no step c.")

d.  From all three systems behind the router (2 x debian 4.0r4 +
    1 x Mac OS X 10.5.4), I ran the [Test My DNS] test at
    <https://www.dns-oarc.net/oarc/services/dnsentropy>. All tests
    reported:
    DNS Resolver(s) Tested:
    1. 208.67.219.11 (bld1.pao.opendns.com) appears to have GREAT source
    port randomness and GREAT transaction ID randomness.

So, to inquire again, why am I not done with phase 1? Why might I need
to install BIND on a system behind my router?

Thanks a million,
Eric

links:
1.  DD-WRT v24 SP1
    http://www.dd-wrt.com/dd-wrtv3/community/developmentnews/1-common/24-dd-wrtv24sp1.html
--
"The ship be sinking."
"How far could it sink?"
"Sky's the limit."

--reporter in conversation with pro basketball player
  Micheal [sic] Ray Richardson, on the New York Knicks

Eric De MUND   | Ixian Systems           | Jab: eadixian at jabber.org/main
ead at ixian.com  | 650 Castro St, #120-210 | Y!M: ead0002
ixian.com/ead/ | Mountain View, CA 94041 | ICQ: 811788

More information about the conspire mailing list