The cat is out of the bag now.... DNS flaw published by mistake!

[polonus]

Hi malware fighters,

For the second time now a very dangerous DNS flaw has been published by a security firm, before an official presentation on a coming Blackhat Conference. The man who found it Dan Kaminsky could not do much. The info on the site was taken down, but when the cat is out of the bag (they found the search engine cached info): http://blogs.buanzo.com.ar/2008/07/matasano-kaminsky-dns-forgery.html  it is difficult to get it back in. So everyone update DNS and watch your kernels,

So, is it really THAT bad? Well, yes. Basically, Dan figured out how to poison ANY DNS servers cache. The end result - people using the DNS server will think they are at Paypal, but are really at evilguy.com.
Hope for the big general patch now to come soon....

The patch consists of randomly generating the source port and couple this to the TXID to minimize the chance to get a correctly spoofed reply.
Another way is to run your own private recursive DNS server without forwarders to make these kind of assaults impossible.

polonus

[.: Mac :.]

Thanks for posting this polonus! Very scary to know that this works on any DNS server. Good reading indeed.

[Marc57]

Very informative as always, thanks polonus.

[bob3160]

You can protect yourself by setting yourself to OpenDNS.
This can affect you no matter what computer or operating system you’re using, and no matter what ISP you may have.
If you connect to the Internet, you need to have DNS servers. Your computer needs to know how to match an IP address with a domain name.
Me worry   NO, I've been using and promoting OpenDNS for a long time as you can tell from
the following informative link:
http://forum.avast.com/index.php?topic=16849.msg185494#msg185494

[polonus]

Hello malware fighters,

Polonus would not be polonus, if he did not offer you a site to test your current DNS.
Do it, go here and click and test your DNS Resolvers at: https://www.dns-oarc.net/oarc/services/dnsentropy

Everything GREAT for ye?

polonus

[oldman]

Hi Polonus

Yep, all Great.

[bob3160]

Hi Damien,
Everything here gets reported as "Great" but remember, I use OpenDNS.  ,
so I didn't expect anything less.

[micky77]

 Source Port Randomness: POOR
 Transaction ID Randomness: GREAT
Is this bad ?

[wyrmrider]

I got Great and Great
so I think I would inquire about Great and Poor

[polonus]

Hi micky77,

Your resolver's randomness will be rated either GOOD, FAIR, or POOR,
based on the standard deviation of observed source ports.
In order to receive a GOOD rating, the standard deviation must be at least 10,000.
For FAIR it must be at least 3,000. Anything less is POOR.
The best standard deviation you can expect to see from 26 queries is in the 18,000-20,000 range.

If you see a POOR rating, we recommend that you contact your ISP
and ask if they have plans to upgrade their nameserver software
soon. The CERT cite is "VU#800113 Multiple DNS implementations vulnerable to cache poisioning".

"For those not listening, we can infect a name server in 11 seconds now, which was never true before",

polonus

[Go Pack Go]

On my pc with OpenDNS , GREAT and GREAT, on my pc with my ISP DNS, Source Port Randomness: POOR, Transaction ID Randomness: GREAT.

[polonus]

Hi malware fighters,

Just a link to another online DNS checker: http://www.doxpara.com/?p=1176

pol

[FreewheelinFrank]

Attacks begin on net address flaw

Attack code that exploits flaws in the net's addressing system are starting to circulate online, say security experts.

http://news.bbc.co.uk/1/hi/technology/7525206.stm

[micky77]

Hi micky77,

Your resolver's randomness will be rated either GOOD, FAIR, or POOR,
based on the standard deviation of observed source ports.
In order to receive a GOOD rating, the standard deviation must be at least 10,000.
For FAIR it must be at least 3,000. Anything less is POOR.
The best standard deviation you can expect to see from 26 queries is in the 18,000-20,000 range.

If you see a POOR rating, we recommend that you contact your ISP
and ask if they have plans to upgrade their nameserver software
soon. The CERT cite is "VU#800113 Multiple DNS implementations vulnerable to cache poisioning".


"For those not listening, we can infect a name server in 11 seconds now, which was never true before",

polonus

Thanks very much Pol,I will take your advice, if I get no joy, I will try Bobs Open DNS ( Thanks Bob )
I tried the Doxpara check, and it said,
Your name server, , may be safe, but the NAT/Firewall in front of it appears to be interfering with its port selection policy. The difference between largest port and smallest port was only 129.

[drhayden1]

Also use OpenDNS like Bob has mentioned
And Damian on this like you posted above https://www.dns-oarc.net/oarc/services/dnsentropy
All the tests came out GREAT
1. 208.67.217.4 (bld1.nyc.opendns.com) appears to have GREAT source port randomness and GREAT transaction ID randomness.
2. 208.67.217.17 (bld7.nyc.opendns.com) appears to have GREAT source port randomness and GREAT transaction ID randomness.
as seen below..........