Micro Mart Forum / Linux Mart / Micro Mart Forums / DNS Cache Poisoning / Latest Posts

RE: DNS Cache Poisoning

Tom Morton — Tue, 29 Jul 2008 14:35:51 GMT

The trouble with my utility is that it has an annoying tendency to crash to browser every 5 minutes (not really sure why - im a bit of a noob with FF plugins).

I'll have a look at it over this weekend see if I can narrow things down....

RE: DNS Cache Poisoning

EdP — Tue, 29 Jul 2008 09:48:01 GMT

Thanks Tom,
I did a search for a suitable Firefox plug-in, but couldn't find one with the full functionality you described for your plugin. Pity, as your description ticks every box - monitoring, and warning on critical sites without forcing retention of possibly outdated dns addresses. If you had a commercial variant I'd buy it -- sorry I can't afford £2500!

I think I'll just stick to pdnsd using the OpenDNS server -- they claim to be fully cache poisoning resistant to the recent exploits. Having read the Kaminsky details and discussions IMO something which relies on two sets of randomization for security has a long term vulnerability if ever a blackhat succeeds in reverse engineering the central security hash for BIND on a particular server implementation. Good luck with your commercial venture, I think it has sales potential for quite some time!

RE: DNS Cache Poisoning

Tom Morton — Sun, 27 Jul 2008 23:48:02 GMT

yes. but the problem is that Google (for example) link to the domain names - your browser still has to query and resolve that to an IP (via a strign of DNS servers) when you click the link. Using a search engine does NOT get you past a cache poisoning attack. It avoids phishing etc. only

If the cache poisoning occurs on one of the DNS servers you use (ie your ISP's one - probably) then all your web requests are at risk! :)

@Edp: I wasnt suggesting you were paranoid! Far from it :P Just that if you are careful and alert it probably wont affect you. I actually have a custom FireFox plugin that I simply cache all my important IP's (forums, banks, paypal, ebay etc etc.) and if there is a domain IP mismatch (from the cache) it warns me. I have seen a few plugins like that about the addons site so have a hunt round (I'm not releasing mine for various reasons) - it's well worth the download and could serve as a good compromise rather than go the full DNS route.

We also sold our first DNS service today :P hopefully the scare will make some companies take notice.. £2,500 is a small price to pay for piece of mind that they have access to a secure, moderated, un-poisoned DNS server :P (hehe).

RE: DNS Cache Poisoning

malc_wright — Sat, 26 Jul 2008 19:19:42 GMT

Hi All

I read this post with interest, but a simpler solution than setting up your own permanent DNS cache struck me.

Whenever I talk to someone who is new to having their own personal computer/laptop, and they ask me about security, apart from the usual Windows based security suites, I always recommend that if they're going to a particular website to undertake a sensitive transaction, e.g. using a credit card, that they approach the site via a respected search engine.

Then look for the locked padlock at the bottom right of the screen.

My thinking behind this is that whilst I might make a finger error and end up on a rogue site, the additional use of a search engine reduces that error.

This might also apply to a DNS bug, as whilst the bug might screw up the request for a search engine, presumably the spoof site would be hard pressed to carry out the search and then yield a convincing fake site, as the possibilities just become too large to handle.

RE: DNS Cache Poisoning

EdP — Sat, 26 Jul 2008 12:31:37 GMT

Sorry, the BBC Technology Page write-up, and the very slow takeup of server patches (Slashdot report) made me hit the panic button, so I've installed and built my own permanent dns cache (pdnsd). I did this just to make sure that I actually get my Bank, Paypal, Amazon etc when I enter their url. If I've been over-reactive, then I apologise for crying wolf, but at least I get nearly instantaneous 'dig' times.

For anyone else who is equally paranoid about their credit card and online banking. the Ubuntu installation of pdnsd is very easy if you use the resolvconf option, but you may want to customize the DNS nameservers etc. (I chose pdnsd as I reboot Ubuntu every day, and so Bind, and dnsmasq didn't quite hit the button.)

RE: DNS Cache Poisoning

Tom Morton — Fri, 25 Jul 2008 15:14:13 GMT

TBH as an end use I wouldn't worry.

We have been building a bit of a safe DNS cache - mostly to market to other paranoid companies next month when things will kick off.

RE: DNS Cache Poisoning

EdP — Thu, 24 Jul 2008 18:26:06 GMT

Fair point with respect to the sky-falling. I don't know whether this is a 9+ Earthquake event or just a mild tremor that rattles a few cages, which is why I asked for advice. If the former is true then we had all better act quickly; if the latter, then doing nothing is the best and easiest response.

RE: DNS Cache Poisoning

gn2 — Thu, 24 Jul 2008 16:30:40 GMT

Be careful when you go out the house, the sky might fall on your head. :hehe:

RE: DNS Cache Poisoning

EdP — Thu, 24 Jul 2008 09:44:59 GMT

Just an afterword on djbdns - unless you are an expert, avoid it. Even the uninstall isn't easy. Go with the previous recommendation and use 'Bind' as that appears to be a well supported standard package that follows all the rules.

All I need quickly now is a large 'validated' DNS list in BIND format!

Although most of the 'details' on the exploit now appear to be pulled, just follow up on the Slashdot links and make your own judgements on the ramifications of this problem for the average Jill or Joe.

EDIT:
Unless I'm missing something, this link (although old) seems to contain all the info to set up a simple stand-alone DNS cache in Linux or even Windows.
http://www.x5.net/various/dns.html

RE: DNS Cache Poisoning

EdP — Thu, 24 Jul 2008 08:10:35 GMT

I made this posting as an individual interested in keeping his pc as secure as possible. Reading the speculative details of the attack, it looks horribly trivial and will result in a 'race' to produce exploits. In fact one exploit based on that approach was published today. Unfortunately the 'fix' looks like its been built from string and tape, and it won't keep the doors shut very long.

While I agree that the actual cache poisoning attacks will hit the larger companies, I would be interested in the effect on us if (say) the Btinternet DNS servers were successfully attacked. I have deliberately not used Google or Yahoo as an example, as that could bring the web down in terms of the way we use it today. I'm sure that other than industrial espionage, the main target of any exploits will be the general public in order to build huge bot-nets.

I think this is a case where Linux could build on its reputation for security and as a result increase its popularity even more. We need something in Linux as trivially easy to use as customized 'hosts' files in Windows. Although its super secure I'm afraid djbdns doesn't fit that bill as it is 'horrible' to install and get running.

RE: DNS Cache Poisoning

Tom Morton — Wed, 23 Jul 2008 20:01:06 GMT

I've been following this with interest.. I'm not 100% convinced the problem is up to the point where it becomes a major security concern for the end user (like us) - however the 'industry' has gotten a kick in the teeth and been scared: which was his intention I guess (and a good idea IMO).

Considering the exploit is not fully public yet (see here http://www.infosecnews.org/pipermail/isn/2008-July/016589.html) I wouldn't worry too much. At Black Hat that will change of course so you might want to take action (see below).

There are patches for most modern DNS servers: but Bind 8 is a sticking point..

If your worried I would put together a cache: it can't hurt and it will give you peace of mind.

However ot give any more advice than that you need to give a bit more info on your setup... are you talking personal computers here or for your business? Certainly if it is the latter I would avoid the per-workstation solution and go with setting up a BIND 9 on your network somewhere and then go about building a cache for it (probably manually to be certain).

(BTW not a DNS guru :P it's pushing the limits of my ability there ;))

RE: DNS Cache Poisoning

Attercop — Wed, 23 Jul 2008 19:27:53 GMT

Probably best off reposting/getting this moved to the Security forum mate. Can't speak for everyone but a lot of that is over my head unfortunately. Bit specialist.

DNS Cache Poisoning

EdP — Tue, 22 Jul 2008 11:32:56 GMT

Can any IP/DNS guru who is familiar with the release of the 'apparent' details of the Kaminsky cache poisoning attack comment on the pros and cons of immediately setting up our own workstation DNS caches (as shown in link), to reduce the risk of these speculative details resulting in cache poisoning of 'harmless' sites e.g. the technology page on BBC or even MicroMart forum(horror of horrors!).

http://www.howtoforge.com/perfect-djbdns-setup-on-ubuntu8.04-amd64

In asking this question I make the assumption that we install (say) djbns and then rush around visiting all our favorite sites to build our own 'safe' cache, before the world and even our IP provider gets flooded with cache poisoning attempts.