[conspire] DNS vulnerability details
Eric De MUND
ead-conspire at ixian.com
Sun Aug 3 17:58:19 PDT 2008
Ok, I believe I've completed phase 1 of 2 of eliminating my DNS vul-
nerability, that of fixing my SOHO network. Phase 2 will be to patch
my debian laptop which travels out into the world. Please educate me
if I've missed anything in phase 1. In particular, given "GREAT" test
results in step d, below, why might I still need to install BIND on any
of the SOHO systems behind my router?
Here at home, in phase 1:
a. I upgraded the firmware of my Linksys WRT54G v2.2 router to
"DD-WRT v24-sp1 (07/27/08) std". Though dd-wrt.com noted in ,
"We'd like to make clear that the DD-WRT default configuration in
v23 / v24 is not vulnerable, so there was and is no risk for dd-wrt
users," their list of overall enhancements for v24 sp1 included, on
the very first line:
o DNS security fix for dnsmasq
b. I configured my router thus (">>" indicates a change, "[v]"
indicates a check in a checkbox):
Local IP Address 10.0.0.1
Subnet Mask 255.255.255.0
>> Local DNS 126.96.36.199 # resolver1.opendns.com
Network Address Server Settings (DHCP)
DHCP Type DHCP Server
DHCP Server (o) Enable ( ) Disable
Start IP Address 10.0.0.100
Maximum DHCP Users 50
Client Lease Time 1440 minutes
>> Static DNS 1 188.8.131.52 # resolver1.opendns.com
>> Static DNS 2 184.108.40.206 # resolver2.opendns.com
Static DNS 3 0.0.0.0
>> Use DNSMasq for DHCP [v] # these checkboxes might have
>> Use DNSMasq for DNS [v] # been selected previously; I
DHCP-Authoritative [v] # can't recall
c. I did not install BIND on any of the systems behind my router.
(Yes, a la Monty Python, "There is no step c.")
d. From all three systems behind the router (2 x debian 4.0r4 +
1 x Mac OS X 10.5.4), I ran the [Test My DNS] test at
<https://www.dns-oarc.net/oarc/services/dnsentropy>. All tests
DNS Resolver(s) Tested:
1. 220.127.116.11 (bld1.pao.opendns.com) appears to have GREAT source
port randomness and GREAT transaction ID randomness.
So, to inquire again, why am I not done with phase 1? Why might I need
to install BIND on a system behind my router?
Thanks a million,
1. DD-WRT v24 SP1
"The ship be sinking."
"How far could it sink?"
"Sky's the limit."
--reporter in conversation with pro basketball player
Micheal [sic] Ray Richardson, on the New York Knicks
Eric De MUND | Ixian Systems | Jab: eadixian at jabber.org/main
ead at ixian.com | 650 Castro St, #120-210 | Y!M: ead0002
ixian.com/ead/ | Mountain View, CA 94041 | ICQ: 811788
More information about the conspire