LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-01-2008, 10:29 AM   #1
mvidberg
LQ Newbie
 
Registered: Jun 2007
Location: Ontario, Canada
Distribution: Ubuntu, Debian, CentOS
Posts: 28

Rep: Reputation: 16
is my bind9 on debian box vulnerable?


I have have recently run
apt-get update
apt-get upgrade
on a debian etch server and when I do
named -v
I get "BIND 9.3.4-P1.1". Is this version safe from the recent announcement of bind vulnerability to cache poisoning? Or do I need to download some deb file and upgrade with that? Sorry, I just don't know debian that well.
 
Old 08-01-2008, 12:13 PM   #2
technodweeb
Member
 
Registered: Dec 2006
Location: South Dakota
Distribution: Red Hat, Ubuntu
Posts: 32

Rep: Reputation: 2
DNS Cache vulnerability test

Quote:
Originally Posted by mvidberg View Post
I have have recently run
apt-get update
apt-get upgrade
on a debian etch server and when I do
named -v
I get "BIND 9.3.4-P1.1". Is this version safe from the recent announcement of bind vulnerability to cache poisoning? Or do I need to download some deb file and upgrade with that? Sorry, I just don't know debian that well.



The easiest way I know is to have a PC using your DNS server being used for lookups. Then go to www.dnsstuff.com and you will find a link there to test for this vulnerability. The tables I have been able to find do not answer for all the versions available. I last updated 2 DNS servers that tables did not answer. The test before the update failed and then passed after the update. Most seem to be related to the lack of source port randomization. I am not sure what to tell you if DNS fails the test after the update.
 
Old 08-01-2008, 12:39 PM   #3
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
Yeah, you are definitely much better off running an actual test for a vulnerability instead of relying solely on a version number. There are cases when a vulnerability is supposed to be patched in a certain version, but do to human error it wasn't. Those cases don't get noticed until, for example, someone looks at the source code or does some vulnerability testing. Of course, doing tests for all known vulnerabilities on all your packages might be impractical, but in cases such as this extremely serious DNS issue where tests abound I think it's important to test your box as a precaution.

Last edited by win32sux; 08-01-2008 at 12:40 PM.
 
Old 08-01-2008, 03:05 PM   #4
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Code:
$ dig +short porttest.dns-oarc.net TXT
That will tell you for sure (using the nameserver in your /etc/resolv.conf) if you are vulnerable.

Note that even if you installed the patch, your distribution might have the query-source-port hard-coded to 53 in /etc/named.conf, so you'd still be vulnerable. Also, if you're forwarding requests to another nameserver instead of having your nameserver perform recursive lookups, you may still be vulnerable because the nameserver that you're forwarding to might be vulnerable. Last, it's possible for firewalls to re-write the source ports in a linear, or very poorly randomized fashion, which would maintain a high degree of vulnerability.

The test above will show you, for that machine, whether it's vulnerable to poisoned DNS caches results.
 
Old 08-02-2008, 12:37 AM   #5
avijitp
Member
 
Registered: May 2005
Location: India
Distribution: FC11, Debian/Ubuntu, RHEL, Solaris, AIX, HP-UX
Posts: 161

Rep: Reputation: 32
If you are running a caching DNS server and your DNS server does not have port randomization and a strong transaction id generation algorithm, it is vulnerable for cache poisoning. A bag guy can poison your DNS cache with improper data.

Latest stable releases are :

BIND 9.5.0-P2
BIND 9.4.2-P2
BIND 9.3.5-P2

Have a look into the blogs of Dan Kaminsky,who discovered this vulnerability. Check his blogs at http://www.doxpara.com/
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Debian Bind9 chroot problems eentonig Linux - Server 1 09-24-2008 11:39 AM
LXer: How To Patch BIND9 Against DNS Cache Poisoning (Debian/Fedora/CentOS) LXer Syndicated Linux News 0 07-29-2008 03:00 PM
bind9 on debian not providing reverse lookups to remote machines. slybob Linux - Server 2 06-15-2007 07:52 PM
Cannot ssh to debian box from Gentoo box or Putty, but I can from Cygwin? Pengus Linux - Networking 2 01-20-2006 01:47 PM
Conifiguring aliases in BIND9 - Debian Sarge nvbauer Linux - Networking 4 02-10-2005 10:41 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:12 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration