[conspire] DNS vulnerability details

Thu Jul 24 11:20:27 PDT 2008

Just a further comment (on a detail of BIND9 configuration):

> Also, note the commented-out "query-source address * port 53;"
> statement.  This is where you can _deliberately lock_ your nameserver to
> originate queries from a specific port address -- which we've known for 
> many years is an extremely bad idea.  (The asterisk is where you could
> specify which of your machine's IP addresses the queries should say they
> come from, in the case of a machine with multiple IPs.)
> 
> People upgrading their existing BIND9 nameservers for the July 8 patches
> need to check manually to ensure that such a line hasn't been activated
> -- because its presence negates the benefit of the upgrade (which adds
> support for randomised source ports!).

To be fair, the real reason for that line's existence is IP/port filters
("firewalls").  Let's say you operate a nameserver inside a network's
security perimeter (as opposed to living on your outside network, fully
exposed to the Internet).  Let's say you have carefully built a set of
filter rules, on your outside router box, specifying what traffic is
permitted in and out.

You'd probably be very tempted to lock down your (internally located)
DNS nameserver's operation so that its own outbound queries always
originate on TCP or UDP port 53 (DNS), because then you can put in place
a firewall rule that says "permit outbound packets from host ns1 that
have source port 53", and not be obliged to permit traffic originating
from any and all originating ports.  That is the purpose for which the
"query-source" directive exists.

Again, this situation might even apply to _you_ with your little Netgear
/ LinkSys / whatever "router" box connected to aDSL, cable, or dial-up
service:  You might have some firewall rulesets needing review.

I suspect a whole lot of sites are soon going to fall victim to one of
two related pitfalls:

1.  You apply the July 8 patches and restart your nameserver.  You
breathe a gusty sigh of relief, in the knowledge that your now-upgraded
nameserver now supports random source ports on recursive-resolver
queries -- forgetting entirely about the "query-source address * port 53;"
line in /etc/bind/named.conf[.whatever] that _prevents_ it from using
that new ability.  Your nameserver is reachable and upgraded, but 
remains vulnerable for reasons invisible to you, plus you now suffer
from a false feeling of confidence.

2.  You apply the July 8 patches and restart your nameserver, and
_remember_ to verify that no "query-source..." directive has disabled
its new abilities -- but forget entirely about the firewall script
blocking all traffic from that host unless it originates on port 53.
Your nameserver is now upgraded and has much better security, _but_ for
reasons invisible to you is now unreachable from public networks.