...making Linux just a little more fun!

Mailbag 2

This month's answers created by:

[ Kapil Hari Paranjape, René Pfeiffer, Rick Moen ]
...and you, our readers!

Editor's Note

In followup to Rick Moen's article in LG153, a collection of the DNS discussion in TAG from July and August.

DNS Exploit: Fix for older Fedora machines??

Rick Moen [rick at linuxmafia.com]


Thu, 24 Jul 2008 19:45:20 -0700

Two posts that help clarify the threat model.

----- Forwarded message from Keith Owens <[email protected]> -----

X-Mailer: exmh version 2.7.2 01/07/2005 (debian 1:2.7.2-12) with nmh-1.2

From: Keith Owens <[email protected]>
To: [email protected]
Date: Fri, 25 Jul 2008 12:10:40 +1000
Subject: Re: DNS Exploit: Fix for older Fedora machines?? 
"Leigh Sharpe" (on Fri, 25 Jul 2008 11:56:41 +1000) wrote:

> I have a couple of older FC2 machines running bind DNS. Is there an rpm
>available with the fix for the recent DNS exploit? Or am I stuck with
>the choice of compiling from source or upgrading the OS?

You need a version of bind9 that is less than 2 months old. bind8 is not being fixed. If Redhat do not have a recent bind9 for FC2 then get the latest src.rpm and build your own.

Alternatively install a small machine running a newer OS with a fixed DNS server and direct all DNS queries via that machine. It is only the final query (the one that hits the outside world) that needs to come from a fixed DNS server. Add firewall rules to block DNS queries from any other machine to the outside world.

Also turn off recursion for DNS queries that come from outside your site and are not for sites in your DNS. One of the ways that attackers are getting information is by issuing recursive requests to your DNS and pointing back at their machines. If you allow external recursive requests then it is much easier for an attacker to get information about your DNS's internal state.

Not sure how to turn off recursion for external requests? See http://www.cymru.com/Documents/secure-bind-template.html

----- End forwarded message ----- ----- Forwarded message from Keith Owens <[email protected]> -----

X-Mailer: exmh version 2.7.2 01/07/2005 (debian 1:2.7.2-12) with nmh-1.2

From: Keith Owens <[email protected]>
To: James Harper <[email protected]>
cc: [email protected]
Date: Fri, 25 Jul 2008 11:24:36 +1000
Subject: Re: DNS exploit: watch out for NAT boxes 
"James Harper" (on Fri, 25 Jul 2008 11:04:15 +1000) wrote:

[ ... ]

[ Thread continues here (1 message/5.23kB) ]


DNS exploit: watch out for NAT boxes

Rick Moen [rick at linuxmafia.com]


Thu, 24 Jul 2008 17:22:51 -0700

Again, I'd suggest a direct fix to any suspect nameserver software, rather than iptables wrapping -- but it's good to know that sharp eyes are attempting to ensure that the latter approach can also be made workable.

----- Forwarded message from Keith Owens <[email protected]> -----

X-Mailer: exmh version 2.7.2 01/07/2005 (debian 1:2.7.2-12) with nmh-1.2

From: Keith Owens <[email protected]>
To: Brian May <[email protected]>
cc: [email protected]
Date: Fri, 25 Jul 2008 10:08:09 +1000
Subject: Re: DNS exploit: watch out for NAT boxes 
Keith Owens (on Fri, 25 Jul 2008 09:52:53 +1000) wrote:

>Brian May (on Fri, 25 Jul 2008 09:17:56 +1000) wrote:
>>Keith Owens wrote:
>>> Bottom line: check if your DNS server is behind a NAT box that does
>>> sequential port mapping.  The 'Check My DNS' widget at
>>> http://www.doxpara.com will tell you if the outside world is seeing
>>> sequential ports or not.
>>>   
>>How does Linux NAT assign port numbers?
>
>2.6.26 should do random port mapping.  It starts off by trying to
>preserve the original (hopefully random) source port number.  If the
>original source port number is already in use by another NAT entry then
>it should generate a random source port number.  I say "should" because
>the code tests for flag IP_NAT_RANGE_PROTO_RANDOM and a quick check of
>the source did not find anywhere where that flag was set, I'm still
>looking.

Recent kernels should do random mapping but they do not. I just ran a test masquerading DNS queries to a small range of source port numbers and it went sequential :(. This has not been fixed as of yesterday's git patch; a bug report is on its way.

Having said that it goes sequential, the fact that masquerade tries to preserve the original source port number will mitigate against this bug. In most cases the original (random) source port number will be preserved, unless you force the source port into a particular range.

----- End forwarded message ----- ----- Forwarded message from hannah commodore <[email protected]> -----

Date: Fri, 25 Jul 2008 10:15:02 +1000
From: hannah commodore <[email protected]>
To: [email protected]
Subject: Re: DNS exploit: watch out for NAT boxes
Keith Owens wrote:

>test masquerading DNS queries to a small range of source port numbers
>and it went sequential :(.
>  
>Recent kernels should do random mapping but they do not. 

As mentioned on Dan's blog however, there is a work-around that does create random source ports: http://cipherdyne.org/blog/2008/07/mitigating-dns-cache-poisoning-attacks-with-iptables.html

----- End forwarded message -----


[conspire] Kaminsky presentation slides

Rick Moen [rick at linuxmafia.com]


Wed, 6 Aug 2008 16:57:58 -0700

----- Forwarded message from Rick Moen <[email protected]> -----

Date: Wed, 6 Aug 2008 16:52:29 -0700
From: Rick Moen <[email protected]>
To: [email protected]
Subject: [conspire] Kaminsky presentation slides
Dan Kaminsky gave his "Black Ops 2008" talk (continuing a series he's been giving for years at LISA conferences and elsewhere) about two hours ago at Black Hat, Caesar's Palace, Las Vegas. No downloadable audio file (one very nice thing about LISA conferences) yet, but Kaminsky has committed PowerPoint: http://www.doxpara.com/DMK_BO2K8.ppt

Major points:

0.  Bad guy induces a nameserver to issue queries for 1.foo.com,
    2.foo.com,... and floods it with forged responses delegating the
    query to claimed nameserver (or CNAME alias) "www.foo.com", and 
    trying to race that info back before the genuine response does.  
    Any response that succeeds and gets cached also carries the 
    (unrequested) "ADDITIONAL INFORMATION" datum that the forward-lookup 
    IP of www.foo.com is $EVIL_IP.  That unrequested info then gets 
    cached for a long time-to-live (TTL).  Voila!  Cache poisoning.
    Notice that the forged, malign data is in-bailiwick for foo.com.
1.  There are a huge number of ways to induce "safe" machines behind
    firewalls to ask about hostnames of an attacker's choosing:
    o  Web hyperlinks, with or without Typhoid Marys Javascript, Flash, 
       Java, etc. (though an attack can use those Typhoid Marys to 
       induce severe mischief by inducing reverse-DNS lookups).
    o  Practically any part of an attempted SMTP mail delivery.
    o  Logfiles that do reverse-DNS lookup (e.g., Web servers).
    o  "Web bugs" in documents.
    o  IDS paranoia that makes them do reverse-DNS lookups.
    (Kaminsky talks at length about ways to make this scale, practical,
    and more revealing of details of company-internal networks.)
2.  Making sure UDP source ports are random is a stopgap, as DNS's
    protocol design leaves it pretty unreliable.  (Duh.)
3.  DNS clients (resolver libs) are a little vulnerable if you
    can flood them with fake responses -- but at least don't cache.[1]
4.  Web (etc.) SSL certs don't necesssarily paper over the problem,
    because of dependency on DNS.  (For example:  Did you make your
    browser trust my Thawte cert for example.com?  Cool!
    That means it'll typically also accept my cert for paypal.com
    that has the same signature.  Or, hey, if I can convincingly forge
    paypal.com's DNS, I can register a Thawte certificate for paypal.com
    myself, because I can make the confirmation mails come to me.
    Ditto, almost everyone's "I forgot my password" link trusts DNS
    to some extent.)
5.  Risks also affect some internal networks, for several reasons including
    active internal code and routing that rely on DNS.  (Duh.)
6.  NAT is a sore point.
 
Choice quotation from the first slide:
 
    "-- I found a really bad bug a while ago.
        o   You might have heard of it...."

As usual for a Kaminsky talk, he's also done quite a great deal to trace out possible ramifications. Recommended.

[ ... ]

[ Thread continues here (1 message/3.83kB) ]


[conspire] DNS vulnerability details

Rick Moen [rick at linuxmafia.com]


Thu, 24 Jul 2008 09:28:43 -0700

----- Forwarded message from Eric De MUND <[email protected]> -----

Date: Wed, 23 Jul 2008 22:37:55 -0700
To: [email protected]
X-Mailer: VM 7.19 under Emacs 21.4.1
From: Eric De MUND <[email protected]>
Reply-To: Eric De MUND <[email protected]>
Subject: Re: [conspire] DNS vulnerability details
Rick,

First of all, a huge thank you for posting this very clearly written report /with prescription/. I'm an expert in some tiny little areas, and DNS isn't one of them. This is useful to me in quickly getting from poor safety maybe not to excellent safety but perhaps to "pretty good" safety.

I appreciate the sharing tremendously. Rick, you are a guy.

] Testing your nameserver's randomness of source port selection: ] ] Or use this Web facility: ] https://www.dns-oarc.net/oarc/services/dnsentropy

Ok, in repeated tests, I'm getting 2/3 POORs and 1/3 GOODs for source port randomness, and all GREATs for transaction IDs. This is Comcast.

    DNS Resolver(s) Tested:
 
    1. 68.87.76.179 (sjos-cns01.sanjose.ca.sanfran.comcast.net)
       appears to have POOR source port randomness and GREAT transaction
       ID randomness.
 
    2. 68.87.76.181 (sjos-cns03.sanjose.ca.sanfran.comcast.net)
       appears to have POOR source port randomness and GREAT transaction
       ID randomness.
 
    3. 68.87.78.131 (utah-cns01.saltlakecity.ut.utah.comcast.net)
       appears to have GOOD source port randomness and GREAT transaction
       ID randomness.

So what DNS-related debian package(s) do I need to get and run?

Regarding my Linksys WRT54G broadband router which is running DD-WRT v23 SP2 (09/15/06) std firmware, I think that if a patch is required, one will be made available shortly.

Regards, Eric

-- 
Eric De MUND   | Ixian Systems           | Jab: [email protected]/main
[email protected]  | 650 Castro St, #120-210 | Y!M: ead0002
ixian.com/ead/ | Mountain View, CA 94041 | ICQ: 811788
http://linuxmafia.com/mailman/listinfo/conspire

----- End forwarded message ----- ----- Forwarded message from Rick Moen <[email protected]> -----

Date: Thu, 24 Jul 2008 09:20:00 -0700
From: Rick Moen <[email protected]>
To: [email protected]
Subject: Re: [conspire] DNS vulnerability details
Quoting Eric De MUND ([email protected]):

> Ok, in repeated tests, I'm getting 2/3 POORs and 1/3 GOODs for source
> port randomness, and all GREATs for transaction IDs. This is Comcast.
> 
>     DNS Resolver(s) Tested:

Please don't read this as a complaint, but rather as a caution about terminology: Most people reserve the term "DNS resolver" to refer only to the DNS client piece (the one that on Linux is built into libc and has conffile /etc/resolv.conf). Being careful about terminology can help avoid confusing one's self.

[ ... ]

[ Thread continues here (10 messages/42.45kB) ]


DNS source port randomisation

Kapil Hari Paranjape [kapil at imsc.res.in]


Thu, 10 Jul 2008 17:29:27 +0530

Hello,

Most of you must have heard about Dan Kaminsky's discovery of a flaw in the DNS protocol and its standard implementation (in glibc and bind 8).

I thought of a quick fix for source port randomisation for DNS queries using iptables.

http://www.imsc.res.in/~kapil/blog/dns_quickfix-2008-07-10-17-07

Basically, the idea is to use iptables feature of source nat coupled with source randomisation.

iptables -t nat -A POSTROUTING -o ! lo -p udp --dport 53 \
    -j MASQUERADE --to-ports 1024-65535 --random
 
iptables -t nat -A POSTROUTING -o ! lo -p tcp --dport 53 \
    -j MASQUERADE --to-ports 1024-65535 --random

After writing this I realised that the randomisation only works with kernels version than 2.6.22.

Regards,

Kapil. --

[ Thread continues here (12 messages/40.02kB) ]



Talkback: Discuss this article with The Answer Gang

Copyright © 2008, . Released under the Open Publication License unless otherwise noted in the body of the article. Linux Gazette is not produced, sponsored, or endorsed by its prior host, SSC, Inc.

Published in Issue 154 of Linux Gazette, September 2008

Tux