[afnog] Big DNS vulnerability

Stephane Bortzmeyer bortzmeyer at nic.fr
Wed Jul 23 08:19:42 UTC 2008


On Wed, Jul 09, 2008 at 11:05:46AM +0200,
 Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote 
 a message of 28 lines which said:

> Executive summary: upgrade your recursive name servers ASAP.

The detailed announcement, which was scheduled for August 7th, has
been made in advance (by accident or by desire for fame):

http://beezari.livejournal.com/141796.html

As a result, every cracker on the planet now knows how to write an
exploit. So, we can expect actual uses of the vulnerability at any
moment. And it is a serious one.

> For BIND users (do note that several vendors who ship BIND already
> have the upgraded version, for instance Debian and Gentoo):
> 
> http://www.isc.org/index.pl?/sw/bind/forgery-resilience.php
> 
> For Microsoft users:
> 
> http://www.microsoft.com/technet/security/Bulletin/MS08-037.mspx
> 
> For Cisco users:
> 
> http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml

Patching is therefore now URGENT. According to this survey:

http://www.hackerfactor.com/blog/index.php?/archives/204-Poor-DNS.html

many big ISP in the USA are STILL vulnerable (I do not know if someone
performed the same survey in Africa but I suspect it will not be much
better)

Only one message: if not patched yet, PATCH NOW.

To test if the resolver is relatively secure, the best Web tool is:

https://www.dns-oarc.net/oarc/services/dnsentropy

and the best command-line tool is dig :-)

dig @X.Y.Z.T +short porttest.dns-oarc.net TXT

(See https://www.dns-oarc.net/oarc/services/porttest)




More information about the afnog mailing list