DNSmasq - DNS poisoning [INACTIVE]

To discuss and report ONLY Bugs

DNSmasq - DNS poisoning

Mensagempor bobbb » Sáb Jul 26, 2008 10:02 pm

There has been a lot of talk recently about DNS poisoning. According to US-CERT we are vulnerable but simon at thekelleys.org.uk is not sure.

http://it.slashdot.org/article.pl?sid=08/07/21/2212227
http://it.slashdot.org/article.pl?sid=08/07/25/1334254

US-CERT Vulnerability Note VU#800113
http://www.kb.cert.org/vuls/id/800113
dnsmasq Vulnerable 11-Jul-2008

DNSmasq people have a fix in version 2.43
http://lists.thekelleys.org.uk/pipermai ... 02183.html

Implement random source ports for interactions with
upstream nameservers. New spoofing attacks have been found
against nameservers which do not do this, though it is not
clear if dnsmasq is vulnerable, since to doesn't implement
recursion. By default dnsmasq will now use a different
source port (and socket) for each query it sends
upstream.
bobbb
 

Re: DNSmasq - DNS poisoning

Mensagempor coidiloco » Sáb Ago 09, 2008 4:17 pm

Hi,

You can use maradns or dnscache (pdnsd) in the meantime.
To make pdnsd more secure activate the "paranoid" option.

paranoid=(on|off);
Normally, pdnsd queries all servers in recursive mode (i.e. instructs servers to query other servers themselves if possible, and to give back answers for domains that may not be in its authority), and accepts additional records with information for servers that are not in the authority of the queried server. This opens the possibility of so-called cache poisoning: a malicious attacker might set up a dns server that, when queried, returns forged additional records. This way, he might replace trusted servers with his own ones by making your dns server return bad IP addresses. This option protects you from cache poisoning by rejecting additional records that do not describe domains in the queried servers authority space and not doing recursive queries any more. An exception to this rule are the servers you specify in your config file, which are trusted.
The penalty is a possible performance decrease, in particular, more queries might be necessary for the same operation.
You should also notice that there may be other similar security problems, which are essentially problems of the DNS, i.e. any "traditional" server has them (the DNS security extensions solve these problems, but are not widely supported). One of this vulnerabilities is that an attacker may bombard you with forged answers in hopes that one may match a query you have done. If you have done such a query, one in 65536 forged packets will be succesful (i.e. an average packet count of 32768 is needed for that attack). pdnsd can use TCP for queries, which has a slightly higher overhead, but is much less vulnerable to such attacks on sane operating systems. Also, pdnsd chooses random query ids, so that an attacker cannot take a shortcut. If the attacker is able to listen to your network traffic, this attack is relatively easy, though.
This vulnerability is not pdnsd's fault, and is possible using any conventional name server (pdnsd is perhaps a little more secured against this type of attacks if you make it use TCP).
The paranoid option is off by default


Get DNSCache here:
http://www.brazilfw.com.br/forum/viewtopic.php?f=21&t=63086

see you ;-)
coidiloco
 


Voltar para Bug Reports

Quem está online

Usuários navegando neste fórum: Nenhum usuário registrado e 2 visitantes

cron