[afnog] Big DNS vulnerability (Here is my finds and Quickst Solution 4 those running BIND on Centos or Fedora Linux Distros)...

Yahaya Wara mywarra at yahoo.com
Fri Jul 25 17:20:02 UTC 2008 








 Thanks Noah for this wonderful findings we will implment this in our organizational DNS. 
 
Can I implement the same on ubuntu linux cos i run my bind9 on ubuntu 8.04
 
thanks.

--- On Thu, 7/24/08, Maina Noah <mainanoah at ipexpertz.net> wrote:

From: Maina Noah <mainanoah at ipexpertz.net>
Subject: [afnog] Big DNS vulnerability (Here is my finds and Quickst Solution 4 those running BIND on Centos or Fedora Linux Distros)...
To: afnog at afnog.org, "Stephane Bortzmeyer" <bortzmeyer at nic.fr>
Cc: "eanog" <eanog at eanog.org>
Date: Thursday, July 24, 2008, 3:46 PM


Dear all,

This topic has been one of those hot topics around the globe and being a systems engineer ...it really caught my attention since i administer a few of those name servers for my organization. Now....i could not wait until Dan Kaminsky on come August 6th at 11:15AM Pacific goes public again to talk at the Black Hat Briefings regarding this vulnerability in BIND.
And give the fact that some folks have already leaked the ways-hows of utilizing the flaw to exploit those vulnerable systems, i had to start thinking earlier on how to fix my own name servers. Believe me they were also vulnerable as i was running the old version of BIND 9. 

Now my finding as simple as it may look, only applies to those folks running BIND 9 on Centos 4 or 5 and Fedora core systems and above... I tested on all this boxes in my office. Comments and suggestions are welcome.

Lets start..

Prerequisites
===========
- Your firewall (iptables NAT/PAT or PIX) must have port 53 open in such a way that it will allow random port selection.
- You most be running BIND 9 on Centos 4 or 5 or any Fedora core system.
- Bind must be running in chrooted mode though not a preliquisite but a best practise.
- In your /etc/named/named.conf OR /etc/named.conf files....you must disable recursion and add an acl to only allow your networks to do recursive requests.
i.e.. acl "mynetworks" {
        127/8;  172.16.0.0/12;  10.0.0.0/8;  192.168.0.0/16

i.e..view "internal" {
        match-clients { mynetwork; };
        allow-query { mynetwork; };
        allow-recursion { mynetwork; };
        match-recursive-only yes;

i.e ..view "external" {
        match-clients { any; };
        allow-query { any; };
        allow-recursion { none; };
        match-recursive-only no;

AND TO FIX the BIND VULNERABILITY
-----------------------------------------------------------------------------------

Checking if your system is vulnarable...run the command below replancing yourdomain with your organisations tld or cctl.

[superuser at ns1 ~]# dig +short @ns1.youdomain.co.tz porttest.dns-oarc.net TXT
;; Warning: ID mismatch: expected ID 60119, got 4972
;; Warning: ID mismatch: expected ID 60119, got 4972
;; Warning: ID mismatch: expected ID 60119, got 4972
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"192.168.1.3 is POOR: 26 queries in 20.0 seconds from 1 ports with std dev 0.00"


[superuser at ns1 ~]# dig +short @ns1.youdomain.co.tz porttest.dns-oarc.net TXT
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"192.168.1.3 is POOR: 26 queries in 20.0 seconds from 1 ports with std dev 0.00"

Poor indicates your name server or system is vulnarable...

Solution 
------------------------

[superuser at ns1 /]# yum update bind bind-chroot -y


[superuser at ns1 /]#vi /etc/named.conf   ## Vi into your named.conf file and do the following. After save and reload BIND
 
options {
        directory "/var/named";
        allow-transfer { 192.168.1.4; };
        query-source address * port 53;  ## REMOVE OR COMMENT this line so as to allow randow port selection. Do this by appanding a # this line
        dnssec-enable yes;  ## Add this line to your named to conf to enable DNS-SEC and go a head and setup DNS-sec.Remember it is not an altimate solution


[superuser at ns1 /]#/etc/init.d/named reload

Then Check again to test
----------------------------

[superuser at ns1 /]# dig +short @ns1.youdomain.co.tz porttest.dns-oarc.net TXT

;; Warning: ID mismatch: expected ID 32835, got 58254
;; Warning: ID mismatch: expected ID 32835, got 58254
;; Warning: ID mismatch: expected ID 32835, got 58254
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"192.168.1.3 is GOOD: 26 queries in 19.6 seconds from 26 ports with std dev 16515.27"


[superuser at ns1 /]# dig +short @ns1.youdomain.co.tz porttest.dns-oarc.net TXT    Just to confirm...:-)

z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"192.168.1.3 is GOOD: 26 queries in 19.6 seconds from 26 ports with std dev 16515.27"
===========================================================================================================================================================

Good indicates that Your name server, at x.x.x.x, appears to be safe, but make sure the ports listed aren't following an obvious pattern. i.e the ports with standard deviation..16515.27..if your test clocks 10000.00 the your DNS server is more safer and your clients or users should not worry.

Do the same  on all your DNS server in your organization. Suggestions and comments are welcome.

Kind regards,

------
./maina noah
Penguins LLC.


Date: Wed, 23 Jul 2008 10:19:42 +0200
From: Stephane Bortzmeyer <bortzmeyer at nic.fr>
Subject: Re: [afnog] Big DNS vulnerability
To: afnog at afnog.org
Message-ID: <20080723081942.GA11778 at nic.fr>
Content-Type: text/plain; charset=us-ascii

On Wed, Jul 09, 2008 at 11:05:46AM +0200,
Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote 
a message of 28 lines which said:

> Executive summary: upgrade your recursive name servers ASAP.

The detailed announcement, which was scheduled for August 7th, has
been made in advance (by accident or by desire for fame):

http://beezari.livejournal.com/141796.html

As a result, every cracker on the planet now knows how to write an
exploit. So, we can expect actual uses of the vulnerability at any
moment. And it is a serious one.

> For BIND users (do note that several vendors who ship BIND already
> have the upgraded version, for instance Debian and Gentoo):
> 
> http://www.isc.org/index.pl?/sw/bind/forgery-resilience.php
> 
> For Microsoft users:
> 
> http://www.microsoft.com/technet/security/Bulletin/MS08-037.mspx
> 
> For Cisco users:
> 
> http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml

Patching is therefore now URGENT. According to this survey:

http://www.hackerfactor.com/blog/index.php?/archives/204-Poor-DNS.html

many big ISP in the USA are STILL vulnerable (I do not know if someone
performed the same survey in Africa but I suspect it will not be much
better)

Only one message: if not patched yet, PATCH NOW.

To test if the resolver is relatively secure, the best Web tool is:

https://www.dns-oarc.net/oarc/services/dnsentropy

and the best command-line tool is dig :-)

dig @X.Y.Z.T +short porttest.dns-oarc.net TXT

(See https://www.dns-oarc.net/oarc/services/porttest)
_______________________________________________
afnog mailing list
http://afnog.org/mailman/listinfo/afnog


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://afnog.org/pipermail/afnog/attachments/20080725/823fed59/attachment-0002.html>

More information about the afnog mailing list