[conspire] DNS vulnerability details

Ruben Safir ruben at mrbrklyn.com
Sat Jul 26 09:16:51 PDT 2008 

On Sat, Jul 26, 2008 at 01:38:27AM -0700, Rick Moen wrote:
> Hi, Ruben.  I'll just try to see if I can add anything to Ryan's
> admirably concise explanation.  (I probably can't, because unfortunately 
> I was obliged to work on a server emergency in the middle of the night,
> and so am dead tired -- but I'll try.)
> 
> Quoting Ruben Safir (ruben at mrbrklyn.com):
> 
> > The first client resolver request sends to DNS.myserver.com on port 53
> 
> This is not the hop where the problem occurs.  Remember, as I explained, 
> even to the (questionable) extent that you can flood a client resolver
> library with faked responses to such requests, that doesn't buy the
> attacker very much, because client resolver libraries _don't cache results_.
> 

So this is sort of ike why my browsers sem to be connected on high ports
all the time.  And this backtracking to source ports is normal IP/TCP
behavior and nothing needs to be changed from client bahaviors.

so I'm going to remove the old SuSE name server and install from the
bind site the latest Beta code.  How much tinkering will I need to
do with my named.conf file or the DNS records?

Ruben


> As Ryan said, the point of vulnerability occurs when DNS.myserver.com
> receives the query (which arrives with the recursion bit set).
> DNS.myserver.com consults its cache, figuratively shrugs "Dunno",
> notices the recursive bit set, and sends the query _onwards_ to somewhere 
> -- some additional nameserver, say, DNS.other.com -- that will
> eventually result in a response being forwarded back, the requested RR
> whose attached TTL value still has some life in it.
> 
> When DNS.myserver.com lobs its outbound copy of the original client's
> request, if it's a dumb, _tradition_-style nameserver, it will use some
> highly predictable source port, e.g., locked to port 53.  All BIND8,
> BIND9 before the current P1 patches, pdnsd, dnsmasq (used in _many_
> embedded appliances!), and Microsoft Windows DNS Server all do the dumb
> thing.  PowerDNS, Dan Bernstein's dnscache (part of djbdns), Unbound,
> and MaraDNS do not:  Those all originate the second-hop request from a
> properly randomised source port.
> 
> There are several obvious ways to induce the original DNS client (the
> one that handed off the request to DNS.myserver.com) to ask about a
> domain that's firmly under the control of the bad guys, e.g., embedding
> references to that domain in Web pages that users of the original client
> machine then are induced to browse.  Let's say that domain is
> evilco.com.  
> 
> 1.  Original DNS client asks DNS.myserver.com "Where's images.evilco.com?"
> 2.  DNS.myserver.com doesn't know, sends outbound query onwards to 
>     DNS.other.com.
> 
> At the same time, the evilco.com guys, alerted to the outbound query to
> evilco.com's Web site, start flooding DNS.myserver.com's LAN with forged
> DNS-response packets that purport to be from DNS.other.com, with a
> variety of QID (transaction ID) numbers, attempting to race back to
> DNS.myserver.com before the genuine response from DNS.other.com does.
> The forged response contains a perfectly serviceable response to the
> "Where's images.evilco.com?" question, but also bears data in the
> "ADDITIONAL SECTION" portion designed to lodge in DNS.myserver.com's
> cache, concerning some other domain entirely.
> 
> With only 65536 possible QIDs, evilco.com has a good chance of
> succeeding.  If DNS.myserver.com's query came from a fixed port, then 
> that's all evilco.com need do.  OTOH, if DNS.myserver.com has also sent
> the query from a randomly selected source port (on which the reply must
> also arrive), then that makes it a significantly more difficult target.
> 
> > I can't help but feel that until of criticle systems services are
> > using cryptography, that we just continue to go in circles.
> 
> There's a saying about crypto not making very good magic pixie dust.
> 
> 
> _______________________________________________
> conspire mailing list
> conspire at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/conspire

-- 
http://www.mrbrklyn.com - Interesting Stuff
http://www.nylxs.com - Leadership Development in Free Software

So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world  - RI Safir 1998

http://fairuse.nylxs.com  DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002

"Yeah - I write Free Software...so SUE ME"

"The tremendous problem we face is that we are becoming sharecroppers to our own cultural heritage -- we need the ability to participate in our own society."

"> I'm an engineer. I choose the best tool for the job, politics be damned.<
You must be a stupid engineer then, because politcs and technology have been attached at the hip since the 1st dynasty in Ancient Egypt.  I guess you missed that one."

© Copyright for the Digital Millennium

More information about the conspire mailing list