[asterisk-users] OT: DNS security

C F shmaltz at gmail.com
Wed Jul 9 12:17:10 CDT 2008


I don't think that this is the exploit that they are talking about.
What you say is too simple and requires too much to achieve (do it the
right time when a request is asked and quicker than the intended DNS
server).

On Wed, Jul 9, 2008 at 12:01 PM, Alexander Lopez <Alex.Lopez at opsys.com> wrote:
> Snip
>
> On Wed, Jul 9, 2008 at 10:50 AM, C F <shmaltz at gmail.com> wrote:
>
> Very interesting article. I guess we won't know much more for another few
> weeks:
> http://www.breitbart.com/article.php?id=080709124916.zxdxcmkx&show_article=1
>
> I thought this was common knowledge.  I remember hearing about the flaw
> around 2000 or so.
>
> Thanks,
> Steve T
>
> Knowledge yes, but common, I don't think so.  Cache Poisoning has been
> around since before 2000.
>
>
>
> A properly designed DNS server with the right amount of randomness in its
> request would be a difficult target. The attack exploits the fact that many
> sequential packets had sequential numbers do that it was easy to send a
> malformed packet back as a response to a query.
>
>
>
> It works like this:
>
>
>
> Badman requests the address for www.digium.com from a name server, the
> server does not have it in its cache or it has expired. Name server requests
> the information from its forwarders, or the root domain. Badman sends a
> packet with the address of the forwarder or root domain server forged with
> an incremented sequence number. The name server thinks that it is a valid
> response and adds it to its cache… the Cache is poisoned…
>
>
>
> Clearing the cache, would clean out the poison entry, and unless the Badman
> was able to guess the precise time your name server was to request the
> information, your server should get the correct entry.
>
>
>
> Ever since Windows 2003, Bind 9.0+, and all versions of TinyDNS have random
> numbers been used for the sequence in the packet. There is always a brute
> force attack that can be done, to simply overwhelm the DNS server and
> possibly 'guess' the next sequence number but that would be time consuming,
> and most intrusion detection systems will pick it up as a DOS or DDOS attack
> and start to shut down access.
>
>
>
> Best solution is to use a trusted DNS server, don't have your master DNS
> server (the one that resolves your domain for the rest of the world) set to
> do recursive lookups, and as I do. Hide your DNS server behind a NAT'ed
> firewall that randomizes outgoing ports and sequence numbers.
>
>
>
>
>
> Alex
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> AstriCon 2008 - September 22 - 25 Phoenix, Arizona
> Register Now: http://www.astricon.net
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>



More information about the asterisk-users mailing list