|
|
|
186
 
Group: Forum Members
Last Login: Yesterday @ 20:10:21
Posts: 98,
Visits: 290
|
|
Can any IP/DNS guru who is familiar with the release of the 'apparent' details of the Kaminsky cache poisoning attack comment on the pros and cons of immediately setting up our own workstation DNS caches (as shown in link), to reduce the risk of these speculative details resulting in cache poisoning of 'harmless' sites e.g. the technology page on BBC or even MicroMart forum(horror of horrors!).
http://www.howtoforge.com/perfect-djbdns-setup-on-ubuntu8.04-amd64
In asking this question I make the assumption that we install (say) djbns and then rush around visiting all our favorite sites to build our own 'safe' cache, before the world and even our IP provider gets flooded with cache poisoning attempts.
|
|
|
|
|
286
Group: Forum Members
Last Login: 2 days ago @ 19:14:47
Posts: 456,
Visits: 811
|
|
Probably best off reposting/getting this moved to the Security forum mate. Can't speak for everyone but a lot of that is over my head unfortunately. Bit specialist.
  
|
|
|
|
|
Pentium
Group: Forum Members
Last Login: 2 days ago @ 13:12:27
Posts: 5,004,
Visits: 27,879
|
|
I've been following this with interest.. I'm not 100% convinced the problem is up to the point where it becomes a major security concern for the end user (like us) - however the 'industry' has gotten a kick in the teeth and been scared: which was his intention I guess (and a good idea IMO).
Considering the exploit is not fully public yet (see here http://www.infosecnews.org/pipermail/isn/2008-July/016589.html) I wouldn't worry too much. At Black Hat that will change of course so you might want to take action (see below).
There are patches for most modern DNS servers: but Bind 8 is a sticking point..
If your worried I would put together a cache: it can't hurt and it will give you peace of mind.
However ot give any more advice than that you need to give a bit more info on your setup... are you talking personal computers here or for your business? Certainly if it is the latter I would avoid the per-workstation solution and go with setting up a BIND 9 on your network somewhere and then go about building a cache for it (probably manually to be certain).
(BTW not a DNS guru  it's pushing the limits of my ability there  )
Cheers,
Tom
My Crime is that of curiosity, my crime is that of outsmarting you
-- MMMugs Clan member, MM-UK Folding Team Member, Web programmer, Electronics student and Micro Mart contributor --
[ Main/Gaming (Vista): Core2Duo E2140 @ 2.65Ghz, 2GB ] [ Laptop (XP): CoreDuo 2.5GHz, 1GB ] [ File Server (Ubuntu 7.10): P4 2.93GHz, 256MB ] [ Folding 1 (Diskless folder): Unkown PIII, 256MB ]
-- Inactive / in build--
Folding 2 (Diskless folder): Opteron @ 2.6(ish), 512MB
Folding 2,4,5,6,7,8,9,10 (Diskless folders): Unkown PIII's and 4's, 128 -> 256MB
DHCP Server (Ubuntu 7 Server): P4 2GHz, 512MB
|
|
|
|
|
186
Group: Forum Members
Last Login: Yesterday @ 20:10:21
Posts: 98,
Visits: 290
|
|
I made this posting as an individual interested in keeping his pc as secure as possible. Reading the speculative details of the attack, it looks horribly trivial and will result in a 'race' to produce exploits. In fact one exploit based on that approach was published today. Unfortunately the 'fix' looks like its been built from string and tape, and it won't keep the doors shut very long.
While I agree that the actual cache poisoning attacks will hit the larger companies, I would be interested in the effect on us if (say) the Btinternet DNS servers were successfully attacked. I have deliberately not used Google or Yahoo as an example, as that could bring the web down in terms of the way we use it today. I'm sure that other than industrial espionage, the main target of any exploits will be the general public in order to build huge bot-nets.
I think this is a case where Linux could build on its reputation for security and as a result increase its popularity even more. We need something in Linux as trivially easy to use as customized 'hosts' files in Windows. Although its super secure I'm afraid djbdns doesn't fit that bill as it is 'horrible' to install and get running.
|
|
|
|
|
186
Group: Forum Members
Last Login: Yesterday @ 20:10:21
Posts: 98,
Visits: 290
|
|
Just an afterword on djbdns - unless you are an expert, avoid it. Even the uninstall isn't easy. Go with the previous recommendation and use 'Bind' as that appears to be a well supported standard package that follows all the rules.
All I need quickly now is a large 'validated' DNS list in BIND format!
Although most of the 'details' on the exploit now appear to be pulled, just follow up on the Slashdot links and make your own judgements on the ramifications of this problem for the average Jill or Joe.
EDIT:
Unless I'm missing something, this link (although old) seems to contain all the info to set up a simple stand-alone DNS cache in Linux or even Windows.
http://www.x5.net/various/dns.html
|
|
|
|
|
386
Group: Forum Members
Last Login: 02/09/2008 20:08:56
Posts: 590,
Visits: 596
|
|
Be careful when you go out the house, the sky might fall on your head. 
|
|
|
|
|
186
Group: Forum Members
Last Login: Yesterday @ 20:10:21
Posts: 98,
Visits: 290
|
|
| Fair point with respect to the sky-falling. I don't know whether this is a 9+ Earthquake event or just a mild tremor that rattles a few cages, which is why I asked for advice. If the former is true then we had all better act quickly; if the latter, then doing nothing is the best and easiest response.
|
|
|
|
|
Pentium
Group: Forum Members
Last Login: 2 days ago @ 13:12:27
Posts: 5,004,
Visits: 27,879
|
|
TBH as an end use I wouldn't worry.
We have been building a bit of a safe DNS cache - mostly to market to other paranoid companies next month when things will kick off.
Cheers,
Tom
My Crime is that of curiosity, my crime is that of outsmarting you
-- MMMugs Clan member, MM-UK Folding Team Member, Web programmer, Electronics student and Micro Mart contributor --
[ Main/Gaming (Vista): Core2Duo E2140 @ 2.65Ghz, 2GB ] [ Laptop (XP): CoreDuo 2.5GHz, 1GB ] [ File Server (Ubuntu 7.10): P4 2.93GHz, 256MB ] [ Folding 1 (Diskless folder): Unkown PIII, 256MB ]
-- Inactive / in build--
Folding 2 (Diskless folder): Opteron @ 2.6(ish), 512MB
Folding 2,4,5,6,7,8,9,10 (Diskless folders): Unkown PIII's and 4's, 128 -> 256MB
DHCP Server (Ubuntu 7 Server): P4 2GHz, 512MB
|
|
|
|
|
| |