Weekly Edition
Return to the Security page
| |||||||||||
Safe configuration of DNS
A group called The Measurement Factory has put out a press
release to call attention to a recent survey of DNS servers. It seems
that, according to TMF, the majority of publicly-available nameservers are
configured incorrectly, and are vulnerable to denial of service and
pharming attacks. In most cases, fixing the problems is a relatively
straightforward operation.
Pharming refers to the use of cache poisoning attacks to hijack a domain name. If an attacker can convince your nameserver to return a bogus address for a known domain, your attempts to access a bank or other online financial-related site can be redirected to a malicious site. Many users have learned to enter domains for financial sites themselves, rather than, say, clicking on a random link which showed up in their mailbox. A pharming attack, however, can lead to the same result as a successful phish: account names, passwords, and credit card numbers can be captured. So what are all of those DNS administrators doing wrong? The biggest problem, according to TMF, is that publicly-available nameservers are configured to perform recursive lookups for anybody who asks. If an attacker can request an arbitrary, recursive lookup, that attacker can get the target nameserver to contact - and accept data from - a malicious server. The malicious server can pass back incorrect information, which the target server may then cache and return to users. The solution in this case is to limit recursive queries to internal hosts; with bind, the allow-recursion option can be used to this effect. The survey also notes that some 40% of sites on the net allow zone transfers to arbitrary sites. These transfers can disclose more information than one might like; they also represent a denial of service opportunity. Finally, the survey notes that a fair number of sites place their secondary servers on the same subnet as the primary, leading to obvious single point of failure issues. Security issues with DNS servers have been relatively rare in recent times. A nameserver is only as secure as its configuration, however. Auditing nameservers for these issues in the near future might not be a bad idea. (Log in to post comments)
DNS Servers Posted Oct 27, 2005 4:03 UTC (Thu) by rfunk (subscriber, #4054) [Link] So, what (authoritative) name server software should we be using thesedays? Is BIND 9 the ultimate answer? Do we hold our noses and go with the small & secure djbdns? Or is there a better alternative?
DNS Servers Posted Oct 27, 2005 7:37 UTC (Thu) by rickmoen (subscriber, #6943) [Link] rfunk wrote:So, what (authoritative) name server software should we be using these days? I have a summary of all known nameservers usable on Linux at "DNS Servers" on http://linuxmafia.com/kb/Network_Other/ . For authoritative-only service, you might look into NSD. For broader applications, PowerDNS looks interesting. Me, I don't like it a whole lot (as you'll see on my page, I refer to it as a "slow, RAM- grabbing, overfeatured, monolithic daemon binary"), but I still run current BIND9 versions in a carefully restricted configuration (for authoritative, caching forwarder, and very restricted recursive resolver service). Probably, a typical Linux system's system resolver library is a bigger security risk: Last I heard, that was still recycled BIND8 spaghetti code. Rick Moen
DNS Servers Posted Oct 27, 2005 11:07 UTC (Thu) by nix (subscriber, #2304) [Link] This is still true in CVS HEAD (and sunrpc/ is the old horrid Sun RPC code, too, also overdue for a rewrite).
zone transfers Posted Oct 27, 2005 4:11 UTC (Thu) by dlang (subscriber, #313) [Link] zone transfers are very little risk if the zones that can be transfered only have information that's intended to be publicly available.
there is a small additional risk in that it lets someone see what IP addresses you are useing (and hints at what ports with things like the names and MX records), but all that information can be found quickly with a noisy port scan, or quietly with a slow portscan.
does anyone really put internal information in their external DNS zones anymore? back in the day when zone transfers were such a risk most people didn't have seperate internal and external zones (this was before NAT and when most places didn't bother with firewalls either)
it's very tireing to have 'security consultants' continually bleating about the 'risk' of zone transfers for zones that countain two entries (a web server and a mail server), it distracts from dealing with real problems.
David Lang
zone transfers Posted Nov 14, 2005 9:30 UTC (Mon) by dw (subscriber, #12017) [Link] Zone transfers in themselves are reasonably harmless 99% of the time, I mean, you're not likely to find any secret information there as you pointed out. The larger and more fundamental problem, however, is that of providing unintended service to the general public at large.
In the case of DNS servers, this means allowing the public to feed little chunks of arbitrary data to code paths within your DNS software that you didn't even know were enabled. That is the much larger risk.
Safe configuration of DNS Posted Oct 27, 2005 4:44 UTC (Thu) by lutchann (subscriber, #8872) [Link] This is kind of an odd press release, considering who it's coming from. Anybody who is running DNS servers still vulnerable to cache poisoning is probably negligent enough that no amount of frightning-sounding survey data is going to help.
Safe configuration of DNS Posted Oct 27, 2005 9:49 UTC (Thu) by kleptog (subscriber, #1183) [Link] The annoying thing is, it's not always a solvable issue.
Consider the small company that resells someone's elses dialup (or broadband) service. This small company has to provide email, web services and DNS. Only the modems and basic internet connectivity are handled by the provider.
This provider also assigns IP addresses, randomly. There is no list of addresses and new ranges are continuously added. Even if you could restrict Bind to only listen to the appropriate ranges, any other company reselling the same service will use the same ranges and thus also be able to use your DNS server.
If someone comes up with a way of securing that... You can block obviously bad stuff, ranges in other continents and stuff, but still. The allow-recursive bit is a diversion from the real problem which is that SOA records and DNS records in general cannot be tested for authenticity. Why isn't anyone fixing *that*.
And the most important excerpts are: Posted Oct 27, 2005 5:43 UTC (Thu) by richardfish (subscriber, #20657) [Link] ...The survey - conducted by The Measurement Factory and sponsored by Infoblox ... Remedies... 4. Use hardened, secure appliances instead of systems based on general-purpose servers and operating software applications. ... About Infoblox Infoblox develops essential infrastructure used for establishing identity-driven networks (IDNs). Infoblox network identity appliances deliver nonstop DNS, DHCP, IPAM, RADIUS and related services ... Smells like 100% pure, Grade-A, FUD-marketing to me.
And the most important excerpts are: Posted Oct 27, 2005 8:03 UTC (Thu) by Liefting (subscriber, #8466) [Link] An "appliance", isn't that software with an extension cord?
Appliances actually scare me more than GP OS + Apps. Reason: Harder to audit and there's no virus scanning/IDS/Tripwire/Malware detection/whatever for them. Look at the latest Cisco security problems. Imagine a botnet consisting not of secretly-taken-over Windows XP Home Edition PCs, but consisting of all the Cisco/Linksys/3com/whatever ADSL/Cable routers/Wireless APs ever built for home use. Much more stealthy, much more effective - and these devices are on 24/7 anyway.
BTW. Ever tried buying a virus scanner for your mobile phone?
And the most important excerpts are: Posted Oct 28, 2005 15:59 UTC (Fri) by miah (guest, #639) [Link] Sure, antivirus software exists for phones. However I think the majority of the phones in use in the US won't have an issue. We can thank our lovely phone companies here for keeping the technology a little dated and disabling included functionality like bluetooth and usb.
Something like F-Secure Mobile? Hrm.
http://www.f-secure.com/estore/avmobile.shtml
Series 60: Nokia 3230, 3650, 3660, 6260, 6600, 6630, 6670, 6680, 6681, 7610, 7650, N70, N90, N-Gage, Panasonic X700, X800 and Siemens SX1
Or
http://us.mcafee.com/root/landingpages/afflandpage.asp?lp...
Microsoft Smartphone
* Motorola MPX200
Microsoft Pocket PC
* Hewlett Packard
Safe configuration of DNS Posted Oct 27, 2005 12:28 UTC (Thu) by dps (subscriber, #5725) [Link] Last time I read the documentation, and that was a *long* time ago, BIND only acted on answers to question it asks, so if it asked aboutevil.cracking.org any portion of the reply not about evil.cracking.org is ingored. What TMF is worried about simply does not work on 99.9% of up to date name servers.
The TMF people *should* have known that the issue was fixed in BIND, as all it requires is reading the BIND documentation. That they failed do to so casts doubt on the credibitly of their research.
It also worth noting that very few networks actually use their public name servers... if you want to win you want to position internal name servers. My public DNS servers exists so you can send me email. My host uses a completely seperate internal DNS server (unreachable from outside unless you are replying to one of it's queries).
Safe configuration of DNS Posted Oct 27, 2005 14:39 UTC (Thu) by charlieb (subscriber, #23340) [Link] > Last time I read the documentation, and that was a *long* time ago,> BIND only acted on answers to question it asks,
Do you *know* that - IOW, are you certain that the documentation is 100% accurate? Which version(s) of BIND, BTW?
Safe configuration of DNS Posted Oct 30, 2005 1:20 UTC (Sun) by zblaxell (subscriber, #26385) [Link] One of the (many) BIND problems went like this:
* Get your victim to query for "evil.cracking.org" while you hold the authoritative NS for "cracking.org"
Apparently this worked because "org" is one of the questions you need to ask on the way to "cracking.org", just as "cracking.org" is the question to ask before "evil.cracking.org", so it got past the "is this a question I asked" test.
DNS security is disturbingly weak; however, most of the time it doesn't really matter. When it does matter, we use strong verification in the higher level protocols (e.g. SSL certificates, SSH host keys, etc).
Safe configuration of DNS Posted Oct 27, 2005 19:41 UTC (Thu) by cventers (subscriber, #31465) [Link] Just dropping in to say I'm happily running djbdns for every DNS need.It's very spartan, extremely secure, easy to configure, fast and robust.
Safe configuration of DNS Posted Oct 28, 2005 16:03 UTC (Fri) by miah (guest, #639) [Link] I've never tried djbdns, but I am a big fan of MaraDNS. I don't know many people running it, but its also a tiny, secure, and really easy to configure dns server.
My problem with all of DJB's software is it gets released and forgotten about. When he releases it its "secure" and contains only the most basic features, if you need additional features you need to add in the code yourself or use some 3rd party patch and possibly introducing a security issue.
|
|||||||||||