The cat is out of the bag now.... DNS flaw published by mistake!

Hi malware fighters,

For the second time now a very dangerous DNS flaw has been published by a security firm, before an official presentation on a coming Blackhat Conference. The man who found it Dan Kaminsky could not do much. The info on the site was taken down, but when the cat is out of the bag (they found the search engine cached info): http://blogs.buanzo.com.ar/2008/07/matasano-kaminsky-dns-forgery.html it is difficult to get it back in. So everyone update DNS and watch your kernels,

So, is it really THAT bad? Well, yes. Basically, Dan figured out how to poison ANY DNS servers cache. The end result - people using the DNS server will think they are at Paypal, but are really at evilguy.com.
Hope for the big general patch now to come soon…

The patch consists of randomly generating the source port and couple this to the TXID to minimize the chance to get a correctly spoofed reply.
Another way is to run your own private recursive DNS server without forwarders to make these kind of assaults impossible.

polonus

Thanks for posting this polonus! Very scary to know that this works on any DNS server. Good reading indeed.

Very informative as always, thanks polonus.

You can protect yourself by setting yourself to OpenDNS.
This can affect you no matter what computer or operating system you’re using, and no matter what ISP you may have.
If you connect to the Internet, you need to have DNS servers. Your computer needs to know how to match an IP address with a domain name.
Me worry ??? NO, I’ve been using and promoting OpenDNS for a long time as you can tell from
the following informative link:
http://forum.avast.com/index.php?topic=16849.msg185494#msg185494

Hello malware fighters,

Polonus would not be polonus, if he did not offer you a site to test your current DNS.
Do it, go here and click and test your DNS Resolvers at: https://www.dns-oarc.net/oarc/services/dnsentropy

Everything GREAT for ye?

polonus

Hi Polonus

Yep, all Great.

Hi Damien,
Everything here gets reported as “Great” but remember, I use OpenDNS. :),
so I didn’t expect anything less.

Source Port Randomness: POOR
Transaction ID Randomness: GREAT
Is this bad ?

I got Great and Great
so I think I would inquire about Great and Poor

Hi micky77,

Your resolver’s randomness will be rated either GOOD, FAIR, or POOR,
based on the standard deviation of observed source ports.
In order to receive a GOOD rating, the standard deviation must be at least 10,000.
For FAIR it must be at least 3,000. Anything less is POOR.
The best standard deviation you can expect to see from 26 queries is in the 18,000-20,000 range.

If you see a POOR rating, we recommend that you contact your ISP
and ask if they have plans to upgrade their nameserver software
soon. The CERT cite is “VU#800113 Multiple DNS implementations vulnerable to cache poisioning”.

“For those not listening, we can infect a name server in 11 seconds now, which was never true before”,

polonus

On my pc with OpenDNS , GREAT and GREAT, on my pc with my ISP DNS, Source Port Randomness: POOR, Transaction ID Randomness: GREAT.

Hi malware fighters,

Just a link to another online DNS checker: http://www.doxpara.com/?p=1176

pol

[b]Attacks begin on net address flaw[/b]

Attack code that exploits flaws in the net’s addressing system are starting to circulate online, say security experts.

http://news.bbc.co.uk/1/hi/technology/7525206.stm

Thanks very much Pol,I will take your advice, if I get no joy, I will try Bobs Open DNS ( Thanks Bob )
I tried the Doxpara check, and it said,
Your name server, , may be safe, but the NAT/Firewall in front of it appears to be interfering with its port selection policy. The difference between largest port and smallest port was only 129.

Also use OpenDNS like Bob has mentioned :slight_smile:
And Damian on this like you posted above https://www.dns-oarc.net/oarc/services/dnsentropy
All the tests came out GREAT :slight_smile:

  1. 208.67.217.4 (bld1.nyc.opendns.com) appears to have GREAT source port randomness and GREAT transaction ID randomness.
  2. 208.67.217.17 (bld7.nyc.opendns.com) appears to have GREAT source port randomness and GREAT transaction ID randomness.
    as seen below…

Hi Dan,

I agree with bob3160 and you that DNS is broken(ish) at the moment, and the exploit was already out in the open after Dan Bernstein published about the gigantic flaw Dan Kaminsky found. In IE you can set your browser to use reliable DNS name servers, you can even set the specific url to a specific domain name in your hosftile. OpenDNS can be a good option, never saw a hassle for people that used it.
But again folks, this affair is huge and hanging over us, because the actual exploit code is out on the web (CAU), also for the client side. Getting back to Dan Kaminsky’s and his efforts. He was also able to convince Yahoo to publicly ditch an unpatchable system (BIND 8). Yahoo are the world’s biggest user of BIND 8 so this is a massive undertaking and highlights the seriousness of the issue.
Anyways all our webforum users have been alerted here to this issue, can check or ask their ISP to fully patch or implement a reliable DNS service themselves, you have no excuse anymore to delay…

polonus

thanks for the update and info damian as always :slight_smile:
you know what that bottle is of ;D

Hi Dan,

Well I think there is more to follow, OpenDNS sure is an option, one could also choose to use the Minnesota University DNS servers, anything below the latest Bind 9 is vulnerable, and cannot be used any longer. With the check on Dan Kaminsky’s site, you can get a result like: “Your name server, at A.B.C.D., appears to be safe, but make sure the ports listed below aren’t following an obvious pattern,” e.g. TXID numbers should be randomn without a fixed pattern. The impact of the flaw is being explained here: http://www.kb.cert.org/vuls/id/800113

To the second remark in your posting, I can state that I can see you are an American, because there Pitbull is a sugar free energy drink. You guessed it right, Here the variant that I drink at the moment, see picture below,

Damian

Occasionally, I do know what I’m talking about. ;D ;D

To understand a little little little bit more;

http://www.avertlabs.com/research/blog/index.php/2008/07/23/the-cat-is-out-of-the-bag-dns-bug/