[gentoo-user] DNS poisoning fix

[gentoo-user] DNS poisoning fix

[Mick]

[-- Attachment #1: Type: text/plain, Size: 319 bytes --]

Hi All,

Have you seen this?

http://uk.news.yahoo.com/afp/20080709/ttc-us-it-internet-software-crime-e0bba4a.html

and this?

http://www.doxpara.com/

Is it merely a matter of using the right version of bind (for those who run a 
bind daemon locally), or does it go further than that?
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] DNS poisoning fix

[Daniel Pielmeier]

Mick schrieb:
> Hi All,
> 
> Have you seen this?
> 
> http://uk.news.yahoo.com/afp/20080709/ttc-us-it-internet-software-crime-e0bba4a.html
> 
> and this?
> 
> http://www.doxpara.com/
> 
> Is it merely a matter of using the right version of bind (for those who run a 
> bind daemon locally), or does it go further than that?

It was already announced on the planet [1] and there is already a bug 
[2]open about it.


[1] http://planet.gentoo.org/
[2] https://bugs.gentoo.org/show_bug.cgi?id=231201
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] DNS poisoning fix

[Alan McKinnon]

On Wednesday 09 July 2008, Mick wrote:
> Is it merely a matter of using the right version of bind (for those
> who run a bind daemon locally), or does it go further than that?

I have no idea how far it goes. What I can tell you is that today I 
updated 3 name servers, a colleague did the other three, and not one of 
them was bind.

Only once one replaces bind with something else does one realise how 
much of a pita it is to use.... :-)

-- 
Alan McKinnon
alan dot mckinnon at gmail dot com

-- 
gentoo-user@lists.gentoo.org mailing list

[gentoo-user] Re: DNS poisoning fix

[7v5w7go9ub0o]

Mick wrote:
> Hi All,
> 
> Have you seen this?
> 
> http://uk.news.yahoo.com/afp/20080709/ttc-us-it-internet-software-crime-e0bba4a.html
> 
> and this?
> 
> http://www.doxpara.com/
> 
> Is it merely a matter of using the right version of bind (for those who run a 
> bind daemon locally), or does it go further than that?

This note from the author of maradns might help understand the issue.

(FWIW, maradns is straightforward and simple if you want to try it on an 
interim basis 'til bind is fixed.)

"MaraDNS is immune to the new cache poisoning attack.  MaraDNS has
always been immune to this attack.  Ditto with Deadwood (indeed,
people can use MaraDNS or Deadwood on the loopback interface to
protect their machines from this attack).

OK, basically, this is an old problem DJB wrote about well over seven
years ago.  The solution is to randomize both the query ID and the
source port; MaraDNS/Deadwood do this (and have been doing this since
around the time of their first public releases that could resolve DNS
queries) using a cryptographically strong random number generator
(MaraDNS uses an AES variant; Deadwood uses the 32-bit version of
Radio Gatun).

- Sam

-- 
gentoo-user@lists.gentoo.org mailing list

RE: [gentoo-user] DNS poisoning fix

[Adam Carter]

> Is it merely a matter of using the right version of bind (for
> those who run a
> bind daemon locally), or does it go further than that?

"This issue is addressed in ISC BIND 9.2.8-P1, BIND 9.3.4-P1, BIND 9.4.1-P1 or BIND 9.5.0a6"

rix adam # emerge -pv bind

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R   ] net-dns/bind-9.4.1_p1  USE="berkdb ldap mysql* ssl threads -dlz -doc -idn -ipv6 -odbc -postgres -resolvconf (-selinux) -urandom" 0 kB

rix adam # ls -l /usr/sbin/named
-rwxr-xr-x 2 root root 347636 Aug 15  2007 /usr/sbin/named

So AFAICT it was fixed in stable/x86 around 11 months ago.
--
gentoo-user@lists.gentoo.org mailing list

RE: [gentoo-user] DNS poisoning fix

[Adam Carter]

> So AFAICT it was fixed in stable/x86 around 11 months ago.

Ignore my earlier idoicy - from ISC's site;

"YOU ARE ADVISED TO INSTALL EITHER THE PATCHES (9.5.0-P1, 9.4.2-P1, 9.3.5-P1) OR THE NEW BETA RELEASES (9.5.1b1, 9.4.3b2) IMMEDIATELY.

The patches will have a noticeable impact on the performance of BIND caching resolvers with query rates at or above 10,000 queries per second. The beta releases include optimized code that will reduce the impact in performance to non-significant levels. "

http://www.isc.org/index.pl?/sw/bind/bind-security.php
--
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] DNS poisoning fix

[Dave Oxley]

I've installed 9.4.2-P1 but http://www.doxpara.com/ says I'm still 
vulnerable. What more do I need to do?

Cheers,
Dave.

Mick wrote:
> Hi All,
>
> Have you seen this?
>
> http://uk.news.yahoo.com/afp/20080709/ttc-us-it-internet-software-crime-e0bba4a.html
>
> and this?
>
> http://www.doxpara.com/
>
> Is it merely a matter of using the right version of bind (for those who run a 
> bind daemon locally), or does it go further than that?
>   
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] DNS poisoning fix

[Dirk Uys]

On Thu, Jul 10, 2008 at 3:35 PM, Dave Oxley <dave@daveoxley.co.uk> wrote:
> I've installed 9.4.2-P1 but http://www.doxpara.com/ says I'm still
> vulnerable. What more do I need to do?
>
> Cheers,
> Dave.
>
> Mick wrote:
>>
>> Hi All,
>>
>> Have you seen this?
>>
>>
>> http://uk.news.yahoo.com/afp/20080709/ttc-us-it-internet-software-crime-e0bba4a.html
>>
>> and this?
>>
>> http://www.doxpara.com/
>>
>> Is it merely a matter of using the right version of bind (for those who
>> run a bind daemon locally), or does it go further than that?
>>
>
> --
> gentoo-user@lists.gentoo.org mailing list
>
>

I think if your DNS server forwards a DNS query to any other server
that is not yet patched, you are still vulnerable.

Complain to your ISP or forward DNS requests to different name servers.

Hope this helps
Dirk
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] DNS poisoning fix

[Volker Armin Hemmann]

On Donnerstag, 10. Juli 2008, Dave Oxley wrote:
> I've installed 9.4.2-P1 but http://www.doxpara.com/ says I'm still
> vulnerable. What more do I need to do?

you need to install the updated tools to. Client and server side have to be 
fixed. Also the DNS your DNS is using has to be fixed. And finally, is that 
'your' DNS or your ISPs DNS the site is showing.

-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] DNS poisoning fix

[Josh Cepek]

[-- Attachment #1: Type: text/plain, Size: 690 bytes --]

Dave Oxley wrote:
> I've installed 9.4.2-P1 but http://www.doxpara.com/ says I'm still 
> vulnerable. What more do I need to do?
>
> Cheers,
> Dave.
>
> Mick wrote:
>> Hi All,
>>
>> Have you seen this?
>>
>> http://uk.news.yahoo.com/afp/20080709/ttc-us-it-internet-software-crime-e0bba4a.html 
>>
>>
>> and this?
>>
>> http://www.doxpara.com/
>>
>> Is it merely a matter of using the right version of bind (for those 
>> who run a bind daemon locally), or does it go further than that? 

Be sure you restart the BIND server after updating too, otherwise it 
will happily continue to use the old version.  "/etc/init.d/named 
restart" should do it.

-- 
Josh



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] DNS poisoning fix

[Alan McKinnon]

On Thursday 10 July 2008, Josh Cepek wrote:
> Be sure you restart the BIND server after updating too, otherwise it
> will happily continue to use the old version.  "/etc/init.d/named
> restart" should do it.

make that:

killall named <repeat till certified dead> ; /etc/init.d/named start

named is notorious for not restarting properly on linux. It looks like 
it restarted, no console messages to catch your eye and top shows it 
running. The logs however say otherwise.

-- 
Alan McKinnon
alan dot mckinnon at gmail dot com

--
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] DNS poisoning fix

[Dave Oxley]

[-- Attachment #1: Type: text/html, Size: 1277 bytes --]