| Massive DNS fixes ... BIND, MSDNS, Sun, you name them ... |
 |
 |
 |
| Written by Ken Task | |||
| Wednesday, 09 July 2008 03:36 | |||
Massive collaboration was finally necessary to fix the problem. Microsoft, Cisco, Red Hat, Sun, ISC (the makers of BIND which still has the lions shared of the market - 80% of the DNS servers on the net), and Yahoo (largest deployment of the still vulnerable version 8 of BIND). Red Hat and CentOS Linux servers, however, have been distributing BIND 9 DNSSEC now since Fedora Core 2 was released ... in other words, a long time. Ref: http://www.techworld.com/security/news/index.cfm?newsid=102110 Researcher's web site/blog (below) has a little checker to see if your DNS is vulnerable to cache poisoning: http://www.doxpara.com/ He will also give network admins one month to patch their software before revealing more technical details next month at Black Hat conference in Las Vegas. Why this is important? Well, if you update your DNS but the upstream provider does not (these are probably the DNS servers to which your network goes to resolve un-known queries), it could mean your folks can still be hijacked! For those of you who don't know if your ISP/DNS server is BIND or Windows or whatever, here's something to try (works on Linux,MacOSX): dig @[A_DNS_SERVER] -c CH -t txt version.bind where "A_DNS_SERVER" is the IP or FQDN of a DNS server in your configuration. Here's an example of a PROPERLY CONFIGURED DNS SERVER RESPONSE using the dig command above: [root@lts named]# dig @ns1.aloesoft.com -c CH -t txt version.bind ; <<>> DiG 9.2.3 <<>> @ns1.aloesoft.com -c CH -t txt version.bind ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 40539 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;version.bind. CH TXT ;; Query time: 105 msec ;; SERVER: 205.161.184.10#53(ns1.aloesoft.com) ;; WHEN: Wed Jul 9 08:22:37 2008 ;; MSG SIZE rcvd: 30 As you can see above, the QUERY status says REFUSED! Here's an example of an IMPROPERLY CONFIGURED DNS SERVER RESPONSE using the dig command above: [root@lts named]# dig @192.168.1.50 -c CH -t txt version.bind ; <<>> DiG 9.2.3 <<>> @192.168.1.50 -c CH -t txt version.bind ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10009 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;version.bind. CH TXT ;; ANSWER SECTION: version.bind. 0 CH TXT "9.2.3" ;; Query time: 1 msec ;; SERVER: 192.168.1.50#53(192.168.1.50) ;; WHEN: Wed Jul 9 08:23:09 2008 ;; MSG SIZE rcvd: 48 As you can see from the last query, the version of BIND on 192.168.1.50 (an internal DNS server running bind not accessible from public internet) shows an "ANSWER SECTION" which says 192.168.1.50 is running BIND 9.2.3. Try the same thing on a Windows DNS server and you should get passed up to one of the root servers of internet - which is STILL not a good thing - and, in the Query, status you'll see NOTIMP (which means it's not programmed to respond to that type of query, but doesn't mean it's cache can't get poisoned!). DNS Tools for Checking: http://us.mirror.menandmice.com/knowledgehub/tools/dig http://member.dnsstuff.com/pages/dnsreport.php Article on MS patches related: http://www.techworld.com/security/news/index.cfm?newsid=102113 The SQL part of the MS patches are important although it still does not address the issues of SQL injection attacks on MISS web sites (only ... Apache, of course, is not affected).
|