DNS architecture flaw, serious cache poisoning vulnerability
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
DNS architecture flaw, serious cache poisoning vulnerability
I don't see anything in the Security section about this yet, so here is the advisory. Note that pretty much every implementation of caching DNS resolver is vulnerable to this flaw.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Original Poster
Rep:
I'm not Microsoft fan by any stretch of the imagination, but you can't fault Microsoft because Checkpoint's host firewall is piss-poor. Microsoft had to do something drastic to resolve the issue, because their install base would be a huuuuuuuuuuuuuuuge target for exploitation if notification was released to the world before the patch was made available. Maybe this will cause Checkpoint to be more rigorous about their development process...
Microsoft rock, no need to say more. That's how they handle everything.
As for the DNS poisoning vulnerability, it's nothing serious to me.
It has been known for ages that such attacks are possible and the source port randomization patch they provide just makes it harder for a determined attacker.
Distribution: Mint 20.1 on workstation, Debian 11 on servers
Posts: 1,336
Rep:
Anyone know how I can confirm that my servers are safe? I ran a yum update but it only brought me to version 9.3 but 9.5 is latest. So I have a big feeling I'm not secure.
I'm surprised at the lack of information there is online at this point about this serious flaw. I'm also surprised banking sites and such have not already been hacked. I will be avoiding online banking for a bit just in case though. A hacker could change the records of a bank's site then direct to a site that looks exactly like the bank's site then get passwords etc... can get real messy.
I don't get how they managed to let such exploit slip by as DNS is such a simple protocol, there is no reason that the program should allow for zones to be written to by the application itself - it should be a user logged in as root that can write to the zones with a text editor, that's it.
But that said any way I can test my server? I realize there's a few web tools but they just automatically test the IP I'm coming from, I need to test a specific IP.
Distribution: Mint 20.1 on workstation, Debian 11 on servers
Posts: 1,336
Rep:
Those don't let me specify the DNS though, they just pick it out of thin air - it's showing my home IP (which is not even running DNS) and saying its vulnerable, but I need to know if my web server's DNS is vulnerable so I want to punch it in.
I suppose I could use lynx or wget from the server itself to check...
Edit: lynx worked. I'm not vulnerable, yay!
Code:
Please Enable Javascript: { Login here }
Your IP: 67.19.158.242 Near: Dallas, Texas United States
DNS Vulnerability Check
This tool checks for DNS cache poisoning susceptibility, a serious security flaw in DNS recently acknowledged by CERT (US Computer Emergency
Readiness Team). US-CERT VU#800113
This DNS server is NOT vulnerable!
DNS Server Address Query source port Query ID
No DNS servers found
How do I read the results table?
Last edited by Red Squirrel; 07-24-2008 at 10:39 PM.
The site evaluate the source ports seen when your system's DNS server queries their DNS servers to
look up their hosts (the host names are randomly generated, guarantying unique queries each time).
Your browser uses your local system's resolver and the configured DNS server to contact their site.
Their site isn't contacting your DNS server, and they can't force your system to use some other DNS server.
It has to come from a system that is using the caching nameserver you want to check.
Btw1. Does Lynx handle javascript correctly?
Btw2. Did you enable javascript for the site like the error says?
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Original Poster
Rep:
Quote:
Originally Posted by simonapnic
As for the DNS poisoning vulnerability, it's nothing serious to me.
It has been known for ages that such attacks are possible and the source port randomization patch they provide just makes it harder for a determined attacker.
You should really educate yourself on this flaw, it is specifically not "just the same old thing we've known for years." The sophistication of this attack let's you poison any hostname for any client that's making requests to a vulnerable resolver, and not only that, but do it in about 11 seconds, tops. All the attack has to do is get you to load an HTML page that they control.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Original Poster
Rep:
PS here's a PERL script to run on servers to check the DNS resolver they're using: http://michael.toren.net/code/noclicky/
Edit: Arrrg, Dan K. changed his tool so the above script no longer reports the correct information (falsely says you're safe!). I made a patch for it here: http://www.smtps.net/issues/02-noclicky.patch
download both files to the same directory and apply the patch like this:
Code:
$ patch -p0 <02-noclicky.patch
NB: This doesn't check the resolver on the machine, necessarily. It checks the resolver the machine is using (i.e. /etc/resolv.conf, the first nameserver entry).
Last edited by chort; 07-26-2008 at 12:27 AM.
Reason: new patch
Distribution: Mint 20.1 on workstation, Debian 11 on servers
Posts: 1,336
Rep:
Quote:
Originally Posted by Mr. C.
The site evaluate the source ports seen when your system's DNS server queries their DNS servers to
look up their hosts (the host names are randomly generated, guarantying unique queries each time).
Your browser uses your local system's resolver and the configured DNS server to contact their site.
Their site isn't contacting your DNS server, and they can't force your system to use some other DNS server.
It has to come from a system that is using the caching nameserver you want to check.
Btw1. Does Lynx handle javascript correctly?
Btw2. Did you enable javascript for the site like the error says?
Yeah don't know if it uses JS for the actual test or just displaying the result. AS lynx does not handle it.
But the IP shown is in fact my server's IP, but that still does not mean it fully tested it...
After all the reading I've been doing on this issue I still don't understand how it happens. DNS is a read only protocol, its not like FTP where people can upload data. So what exactly allows people to easily change the records? I could see if someone hacks through the server's FTP/SSH then goes to edit the records, but then that would be a flaw in the FTP not DNS.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.