[asterisk-users] OT: DNS security

Alexander Lopez Alex.Lopez at OpSys.com
Wed Jul 9 11:01:21 CDT 2008


Snip

On Wed, Jul 9, 2008 at 10:50 AM, C F <shmaltz at gmail.com> wrote:

Very interesting article. I guess we won't know much more for another
few weeks:
http://www.breitbart.com/article.php?id=080709124916.zxdxcmkx&show_artic
le=1


I thought this was common knowledge.  I remember hearing about the flaw
around 2000 or so.

Thanks,
Steve T

Knowledge yes, but common, I don't think so.  Cache Poisoning has been
around since before 2000.

 

A properly designed DNS server with the right amount of randomness in
its request would be a difficult target. The attack exploits the fact
that many sequential packets had sequential numbers do that it was easy
to send a malformed packet back as a response to a query.

 

It works like this:

 

Badman requests the address for www.digium.com <http://www.digium.com/>
from a name server, the server does not have it in its cache or it has
expired. Name server requests the information from its forwarders, or
the root domain. Badman sends a packet with the address of the forwarder
or root domain server forged with an incremented sequence number. The
name server thinks that it is a valid response and adds it to its
cache... the Cache is poisoned...

 

Clearing the cache, would clean out the poison entry, and unless the
Badman was able to guess the precise time your name server was to
request the information, your server should get the correct entry.

 

Ever since Windows 2003, Bind 9.0+, and all versions of TinyDNS have
random numbers been used for the sequence in the packet. There is always
a brute force attack that can be done, to simply overwhelm the DNS
server and possibly 'guess' the next sequence number but that would be
time consuming, and most intrusion detection systems will pick it up as
a DOS or DDOS attack and start to shut down access. 

 

Best solution is to use a trusted DNS server, don't have your master DNS
server (the one that resolves your domain for the rest of the world) set
to do recursive lookups, and as I do. Hide your DNS server behind a
NAT'ed firewall that randomizes outgoing ports and sequence numbers.

 

 

Alex

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20080709/7f947fd6/attachment.htm 


More information about the asterisk-users mailing list