Topic 'Internet flaw could let hackers take over the Web' in forum 'Security' - dslreports.com

Re: Internet flaw could let hackers take over the Web

Fri, 11 Jul 2008 00:17:32 EDT

mikenolan7 posted : Thanks for that explanation. You're correct, I didn't understand that last step. I assumed the DNS server I connect to went to the root servers when it didn't know the address.

It still doesn't explain why the doxpara tool would respond with a server that belongs to my ISP, when the server that I query and get a response from is not related in any way to my ISP. That's not really important though, I appreciate your help. :)

Re: Internet flaw could let hackers take over the Web

Thu, 10 Jul 2008 20:48:35 EDT

NetFixer posted :

said by mikenolan7:

When I monitor the connection (wireshark on another machine), the same DNS server that I query responds to the request. That's really just a double check, because my firewall rules only allow DNS traffic to and from the server that I use.

But what you seem to not understand is that the DNS server that you "use" is not necessarily the DNS server that actually resolves the DNS query (even though from your local perspective, all queries and replies only use that server).

Here is an example of doing a nslookup www.yahoo.com 192.168.10.1 from my Windows XP workstation, where 192.168.10.1 is the LAN IP address of my gateway router (and my secondary DNS server). Note that this is a forwarding DNS server, and all external DNS queries to it are simply forwarded to a list of automatically assigned ISP DNS servers:

C:\Documents and Settings\royces.DCS_NET>nslookup www.yahoo.com 192.168.10.1Server:  dcs-gw1.dcs-netAddress:  192.168.10.1 Non-authoritative answer:Name:    www.yahoo-ht3.akadns.netAddress:  69.147.76.15Aliases:  www.yahoo.com

Packet captures show that as far as this PC is concerned, only 192.168.10.1 is involved in the DNS query/reply:

[att=1]

[att=2]

On the other hand, the router's outgoing log clearly shows that the DNS query was passed on to 64.105.202.139 for resolution:

Jul 10 19:00:04 192.168.10.1 Jul 10 19:00:04 2008 dcs-gw1 RGFW-OUT: ACCEPT (UDP 66.134.0.234:18811->64.105.202.139:53 on ppp0) [31,0]

This is what always happens when you make a DNS query to an AnyCast server, or if you make a DNS query to a forwarding DNS server that does not already have the results in its cache.

--
History does not long entrust the care of freedom to the weak or the timid.
-- Dwight D. Eisenhower
Test your firewall.
Smell the flowers.

DNS Query
DNS Reply

Re: Internet flaw could let hackers take over the Web

Thu, 10 Jul 2008 20:35:14 EDT

Cabal posted :

Not really. The response you get claims to be from the system you made the request to. It's one of the reasons anycast works so well, but it's also the reason DNS (and most UDP-based) spoofing is so easy: your firewall lets it right through if it matches accurately *enough*.
--
Interested in open source engine management for your Subaru?

Re: Internet flaw could let hackers take over the Web

Thu, 10 Jul 2008 18:17:40 EDT

mikenolan7 posted : When I monitor the connection (wireshark on another machine), the same DNS server that I query responds to the request. That's really just a double check, because my firewall rules only allow DNS traffic to and from the server that I use.

Re: Internet flaw could let hackers take over the Web

Thu, 10 Jul 2008 18:12:26 EDT

NetFixer posted :

said by mikenolan7:

Interesting.

traceroute -p 53 (dns server I chose)

Got me to (dns server I chose). Oh well, it is what it is.

A traceroute is not a DNS query, even if you use port 53.

webhost:/home/royces # traceroute -p 53 4.2.2.4traceroute-lbl to 4.2.2.4 (4.2.2.4), 30 hops max, 38 byte packets 1  dcs-gw1 (192.168.10.1)  0.982 ms  0.630 ms  0.537 ms 2  192.168.2.251 (192.168.2.251)  19.142 ms 68.216.204.65 (68.216.204.65)  9.335 ms  9.183 ms 3  192.168.2.113 (192.168.2.113)  22.723 ms 68.216.204.37 (68.216.204.37)  10.707 ms  11.120 ms 4  ge-6-5.car1.atlanta1.level3.net (64.154.37.105)  22.954 ms 65.83.237.126 (65.83.237.126)  10.761 ms  10.936 ms 5  vnsc-pri-dsl.genuity.net (4.2.2.4)  21.218 ms ixc01sdf-6-0-1.bellsouth.net (65.83.237.95)  18.724 ms  21.175 ms webhost:/home/royces # dig +short porttest.dns-oarc.net TXT @4.2.2.4z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net."209.244.5.147 is POOR: 26 queries in 2.0 seconds from 1 ports with std dev 0.00"

Do a Google or Yahoo! search for AnyCast to find out why the DNS server you select may not be the DNS server that actually responds to your query.

»en.wikipedia.org/wiki/Anycast#Us···ment_DNS

said by Wikipedia :

Use of anycast to implement DNS

A number of the Internet root nameservers are implemented as large numbers of clusters of machines using anycast. The C, F, I, J, K, L and M servers exist in multiple locations on different continents, using anycast announcements to provide a decentralized service. As a result, most of the physical (rather than nominal) root servers are now outside the United States. RFC 3258 documents how anycast is used to provide authoritative DNS services. Akamai, *Community DNS, UltraDNS (now known as Neustar Ultra Services), Netriplex, DNSMadeEasy, EasyDNS and many other authoritative name service providers have all switched to an IP anycasted environment to increase query performance and redundancy. The use of the IP anycast network helps provide for a highly resilient DNS service. Additionally, the recursive DNS service OpenDNS use anycast to distribute the load across their network.

--
History does not long entrust the care of freedom to the weak or the timid.
-- Dwight D. Eisenhower
Test your firewall.
Smell the flowers.

Re: Internet flaw could let hackers take over the Web

Thu, 10 Jul 2008 13:22:04 EDT

TheWiseGuy posted : I think what they are doing is have you send a DNS query to your server with a unique name (the first part changes). They then monitor the source port and the IP address when it is forwarded to their DNS server to be resolved and report that address and source port.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.

Re: Internet flaw could let hackers take over the Web

Thu, 10 Jul 2008 11:42:34 EDT

redwolfe_98 posted : i guess this explains the changes in the way that windows does "DNS".. after the recent windows updates, i noticed that windows is using different local ports for DNS.. before, it was using local ports 1024-4999, for DNS.. now it is using local ports 1024-65535, for DNS..

Re: Internet flaw could let hackers take over the Web

Thu, 10 Jul 2008 10:05:57 EDT

Cabal posted : As mentioned in the All Things UNIX thread, this test can also be done with dig.

Bad:
$ dig +short porttest.dns-oarc.net TXT @4.2.2.1 z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net. "209.244.7.33 is POOR: 26 queries in 1.9 seconds from 1 ports with std dev 0.00"

A few ports, but still bad randomization:
$ dig +short porttest.dns-oarc.net TXT @68.87.71.226 z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net. "68.87.71.228 is POOR: 26 queries in 2.9 seconds from 22 ports with std dev 129.69"

Good:
$ dig +short porttest.dns-oarc.net TXT @208.67.222.222 z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net. "208.67.217.4 is GOOD: 27 queries in 3.0 seconds from 27 ports with std dev 17824.53"
--
Interested in open source engine management for your Subaru?

Re: Internet flaw could let hackers take over the Web

Thu, 10 Jul 2008 09:52:39 EDT

mikenolan7 posted : Interesting.

traceroute -p 53 (dns server I chose)

Got me to (dns server I chose). Oh well, it is what it is.

Re: Internet flaw could let hackers take over the Web

Thu, 10 Jul 2008 03:22:44 EDT

NetFixer posted :

said by jmorlan:

said by mikenolan7:

If this is correct, if you are using OpenDNS and run the check, you are not actually checking if OpenDNS is vulnerable. You are actually checking if (one of) your ISP's servers is vulnerable or not. That doesn't mean OpenDNS is vulnerable, just that you aren't actually checking that information.

That is also what I found. When I stopped my local DNS server from forwarding to Level3 and/or my ISP DNS servers, the DoxPara test properly reported my inhouse DNS server IP addresses:

Your name server, at 66.134.0.234, appears to be safe.
------------------------------------------------------
Requests seen for 181b0f90e6c4.toorrr.com:
66.134.0.234:50853 TXID=51527
74.245.184.227:63538 TXID=22862
66.134.0.234:49255 TXID=13941
74.245.184.227:60600 TXID=60754
66.134.0.234:50450 TXID=25296

=======================================================

Your name server, at 74.245.184.227, appears to be safe.
--------------------------------------------------------
Requests seen for 37240600ece2.toorrr.com:
74.245.184.227:54725 TXID=32041
66.134.0.234:60475 TXID=54854
74.245.184.227:52818 TXID=38041
66.134.0.234:54800 TXID=59996
74.245.184.227:65302 TXID=63365

--
History does not long entrust the care of freedom to the weak or the timid.
-- Dwight D. Eisenhower
Test your firewall.
Smell the flowers.

Re: Internet flaw could let hackers take over the Web

Thu, 10 Jul 2008 00:13:47 EDT

jmorlan posted :

That is not what I found. Switching to OpenDNS, DoxPara reported my DNS as: 208.67.219.12 which resolves to bld2.pao.opendns.com, owned by OpenDNS but in my local area. It did not report on my ISPs server.
--
Weather forecast for tonight: dark. Continued dark overnight, with widely scattered light by morning. (George Carlin)

Re: Internet flaw could let hackers take over the Web

Wed, 09 Jul 2008 22:41:29 EDT

qrkx posted :

said by mikenolan7:

I don't understand the explanation of why the check is done on different servers, so I turned on an external machine to monitor and double check what was going on. I have a DNS server configured that has nothing to do with my ISP (I verified that they are unrelated with nslookup). I run the test, a DNS request for www.doxpara.com goes out to the server I have configured, and then I get a reply from that same server.

Then the communication with the doxpara server occurs, and a report on one of my ISP's DNS servers returns. It appears that the doxpara server checks which server it thinks you should be using. I can't quite figure out how it decides that, because if I lookup my own IP I get a response from a different server than doxpara reports on, and the authoritative server is different also.

If this is correct, if you are using OpenDNS and run the check, you are not actually checking if OpenDNS is vulnerable. You are actually checking if (one of) your ISP's servers is vulnerable or not. That doesn't mean OpenDNS is vulnerable, just that you aren't actually checking that information.

Sorry if it was already explained this way, but I couldn't tell for sure.

My guess....The doxpara site uses your IP as an input the performs a dig -x "IP"

Extracts the dns server then tests it for transaction ID "randomization" then reports back.

rgds

Re: Internet flaw could let hackers take over the Web

Wed, 09 Jul 2008 22:13:15 EDT

mikenolan7 posted : I don't understand the explanation of why the check is done on different servers, so I turned on an external machine to monitor and double check what was going on. I have a DNS server configured that has nothing to do with my ISP (I verified that they are unrelated with nslookup). I run the test, a DNS request for www.doxpara.com goes out to the server I have configured, and then I get a reply from that same server.

Then the communication with the doxpara server occurs, and a report on one of my ISP's DNS servers returns. It appears that the doxpara server checks which server it thinks you should be using. I can't quite figure out how it decides that, because if I lookup my own IP I get a response from a different server than doxpara reports on, and the authoritative server is different also.

If this is correct, if you are using OpenDNS and run the check, you are not actually checking if OpenDNS is vulnerable. You are actually checking if (one of) your ISP's servers is vulnerable or not. That doesn't mean OpenDNS is vulnerable, just that you aren't actually checking that information.

Sorry if it was already explained this way, but I couldn't tell for sure.

Re: Internet flaw could let hackers take over the Web

Wed, 09 Jul 2008 21:45:19 EDT

qrkx posted : Hey! Wait a minute...Doesn't this forum deserve credit for demonstrating (although indirectly) the lack of authentication in the DNS protocol, by spoofing DNS responses? ;)

Hehe - I think it had something to do with an expensive router challenge. Quite a while ago. LinkLogger might still have some packet captures although I doubt we spoofed TIds and such for the sake of simplicity.

The response was incredible - with most people yawning.

Bah. I shall crawl back to my cage.

rgds

Re: Internet flaw could let hackers take over the Web

Wed, 09 Jul 2008 21:09:54 EDT

qrkx posted :

said by Just Bob:

I think you're overstating the case. Randomizing the source port adds another 16 bits.

I must be overstating. Randomization increases the cost of attack. Does not solve the problem at hand. I guess we'll revisit this problem in a few years.

rgds.

Re: Internet flaw could let hackers take over the Web

Wed, 09 Jul 2008 20:32:11 EDT

Just Bob posted :

said by qrkx:

Randomizing DNS transaction IDs, eh? Imagine that with a 16 bit number!

Anywho - with all the bandwidth available, why not just forget about DNS over UDP and absorb the TCP overhead(for DNS 512 bytes)?

UDP is "broken", and any patches - such as "randomizing" the "authenticating" factor will eventually fail.

blah.

rgds

I think you're overstating the case. Randomizing the source port adds another 16 bits.

said by »www.kb.cert.org/vuls/id/800113 :
Because attacks against these vulnerabilities all rely on an attacker's ability to predictably spoof traffic, the implementation of per-query source port randomization in the server presents a practical mitigation against these attacks within the boundaries of the current protocol specification. Randomized source ports can be used to gain approximately 16 additional bits of randomness in the data that an attacker must guess.

--
"...an imbalance between rich and poor is the oldest and most fatal ailment of all republics."
Plutarch

Re: Internet flaw could let hackers take over the Web

Wed, 09 Jul 2008 17:54:05 EDT

qrkx posted : Randomizing DNS transaction IDs, eh? Imagine that with a 16 bit number!

Anywho - with all the bandwidth available, why not just forget about DNS over UDP and absorb the TCP overhead(for DNS 512 bytes)?

UDP is "broken", and any patches - such as "randomizing" the "authenticating" factor will eventually fail.

blah.

rgds

Re: Internet flaw could let hackers take over the Web

Wed, 09 Jul 2008 16:51:08 EDT

QuaffAPint posted : I've been using OpenDNS for a couple years now (both with my Comcast and my FIOS), it's worked quite well and now, as its not vulnerable, is a good as time as any to switch :).
--
FunnyAndFun.com :: Take a laugh break...

Re: Internet flaw could let hackers take over the Web

Wed, 09 Jul 2008 16:20:05 EDT

XoLiMiT posted : I believe the tool locates the next top level DNS server in your recursive lookup. This would explain why some are not seeing their ISP's primary DNS server. Their ISP's dns is simply a mirror of another top level DNS server used for load balancing purposes.

my .0001 cents
Correct me if i am wrong

Re: Internet flaw could let hackers take over the Web

Wed, 09 Jul 2008 15:13:11 EDT

jmorlan posted :

said by smcallah:

The name servers you are configured with are probably caching servers. They do not query toorrr.com directly, the primary DNS server, which tells the caching servers the answer, is what goes to the root DNS servers to find toorrr.com and the queries come from there.

Thank you. Is dnsnode14.pltnca.sbcglobal.net a primary or root DNS server? Can one speed up DNS lookups by pointing to it instead of the default caching servers?
--
Weather forecast for tonight: dark. Continued dark overnight, with widely scattered light by morning. (George Carlin)

Re: Internet flaw could let hackers take over the Web

Wed, 09 Jul 2008 14:43:31 EDT

smcallah posted :

said by jmorlan:

However »www.doxpara.com/ reports

quote:
Your name server, at 69.227.255.25, appears vulnerable to DNS Cache Poisoning.

That name server resolves to dnsnode14.pltnca.sbcglobal.net

Where did they get that? Am I really vulnerable?

The name servers you are configured with are probably caching servers. They do not query toorrr.com directly, the primary DNS server, which tells the caching servers the answer, is what goes to the root DNS servers to find toorrr.com and the queries come from there.

Re: Internet flaw could let hackers take over the Web

Wed, 09 Jul 2008 12:04:09 EDT

caffeinator posted : IDK, there's some funny code in that pages source. I'd check , but i'd need .JS on first..lol (ok, so I tried it w/ JS on, and it did...nothing.)

I applied the MS patch already, don't use the DNS service, use a HOSTS file and local webserver for it, and I run my own IPcop box that pulls DNS from both my ISP and opendns.

DNS caching is off too.

SO, IDK...what's the big deal?

The bind8/16-bit DNS sky has been falling for years..this is just another tidbit of it IMO.

DNSSEC FTW?

-CaFF

--

My 9/11 Tribute..online since 9/14/01
Need an Avatar? Check out Wafen's Avatar Pages

Re: Internet flaw could let hackers take over the Web

Wed, 09 Jul 2008 10:50:39 EDT

Siko posted : So this is the reason why zonealarm doesn't work with the latest Microsoft patch?

»MS update KB951748 and ZoneAlarm --- PROBLEM

Re: Internet flaw could let hackers take over the Web

Wed, 09 Jul 2008 10:28:04 EDT

mikenolan7 posted : OMG an exploit is out already, our DNS requests are being redirected all over the place! :D It's ironic that many of the companies involved in this secret cabal (not Cabal ) to patch a DNS redirection vulnerability, already practice DNS redirection for profit. :o

Re: Internet flaw could let hackers take over the Web

Wed, 09 Jul 2008 10:02:52 EDT

Selenia posted : You just might want to remove your IP from the post :) But yes, this tool seems to understand 127.0.0.1 DNS server entries fine. I should try one of my other computers that reach this DNS server via a 192.168.x.x address.

Re: Internet flaw could let hackers take over the Web

Wed, 09 Jul 2008 09:52:55 EDT

Cabal posted :

said by jerry666:

i don't get it . it reports

Your name server, at 216.99.41.11, appears vulnerable to DNS Cache Poisoning.
All requests came from the following source port: 2355Requests seen for 96c7638be9c4.toorrr.com:
216.99.41.11:2355 TXID=56324
216.99.41.11:2355 TXID=60930
216.99.41.11:2355 TXID=63233
216.99.41.11:2355 TXID=22086
216.99.41.11:2355 TXID=110

but mine are listed as these in advanced tcp/ip settings
so where do they get the above ? whois shows it is my isp , but not what i use . a beginner in this as you can tell .
thanks
127.0.0.1
206.126.95.173
206.126.95.163

The checker shows the IP it is receiving queries from. That IP in question looks like a DSL customer IP. Is it yours? Your first listed DNS server is running locally.
--
Interested in open source engine management for your Subaru?

Re: Internet flaw could let hackers take over the Web

Wed, 09 Jul 2008 09:50:30 EDT

jerry666 posted : i don't get it . it reports

Your name server, at 216..11, appears vulnerable to DNS Cache Poisoning.
All requests came from the following source port: 2355Requests seen for 96c7638be9c4.toorrr.com:
216.1.11:2355 TXID=56324
216.9.11:2355 TXID=60930
216..11:2355 TXID=63233
216..11:2355 TXID=22086
216.9.11:2355 TXID=110

but mine are listed as these in advanced tcp/ip settings
so where do they get the above ? whois shows it is my isp , but not what i use . a beginner in this as you can tell .
thanks
127.0.0.1
206.126.95.173
206.126.95.163

Re: Internet flaw could let hackers take over the Web

Wed, 09 Jul 2008 09:50:15 EDT

Selenia posted : It gave my IP for the DNS server(it seems to have interpreted my 127.0.0.1 entry correctly). It says it's vulnerable, but I'd say it's more on the servers of TWC, in my case. Strong access controls only let my LAN query it and it gets its data from 2 statically set non-vulnerable DNS servers.

Re: Internet flaw could let hackers take over the Web

Wed, 09 Jul 2008 08:45:22 EDT

anon posted : I'm on Verizon Broadband, just checked and doxpara says VZ is vulnerable.

Re: Internet flaw could let hackers take over the Web

Wed, 09 Jul 2008 06:45:23 EDT

jmorlan posted :

said by NetFixer:

I think that the DNS servers you are using are the AT&T/SBC Anycast DNS servers, which means that they automatically redirect to the nearest actual DNS server to your location. It also explains the seeming anomaly I initially saw. I had forgotten the I had recently changed the config on my DNS server to forward to the Level3 Anycast DNS servers 4.2.2.4 and 4.2.2.6 in order to speed up non-cached lookups.

I think you are right. I switched to the level3 servers and the site reported I was using 209.244.1.26 which is a local level3 server. It said that server WAS VULNERABLE.

Then I switched to OpenDNS. It said I was using 208.67.219.12 which appears to be a local OpenDNS server and it said I was SAFE.

So in all cases I was redirected to a local server which was apparently identified correctly by »www.doxpara.com/

I don't care for OpenDNS but I'll keep it for now.

Unfortunately my modem seems to be hard-wired to pick up the sbcglobal servers which means I have to manually change DNS on each computer on my network.
--
"One can never know for sure what a deserted area looks like." (George Carlin)

Re: Internet flaw could let hackers take over the Web

Wed, 09 Jul 2008 06:44:21 EDT

NetFixer posted :

said by Doctor Olds:

209.244.5.146 is the DNS it reported for me (Which is not my ISPs DNS as seen by my Router of 207.69.188.185, 207.69.188.186), but my system shows I am using 4.2.2.1 and 4.2.2.2...

4.2.2.1 and 4.2.2.2 are I believe Level3 Anycast DNS servers, and they are probably forwarding to 209.244.5.146.

My local Windows 2000 DNS server forwards non-cached requests to the 4.2.2.4 and 4.2.2.6 Level3 Anycast DNS servers and the DNS test detected them forwarding to 209.244.5.147.
--
History does not long entrust the care of freedom to the weak or the timid.
-- Dwight D. Eisenhower
Test your firewall.
Smell the flowers.

Re: Internet flaw could let hackers take over the Web

Wed, 09 Jul 2008 06:19:46 EDT

scelli posted : Thanks for the info. If I'm understanding correctly what you and the others are saying, it appears the next move is up to the ISP. In my case, that is AT&T.

At least I'm running Vista Ultimate SP1, which supposedly (knock on a sequoia tree in the Redwood Forest) at least is good for end-users running that particular OS.
--
The maximum effective range of an excuse is ZERO meters!

Re: Internet flaw could let hackers take over the Web

Wed, 09 Jul 2008 06:07:42 EDT

NetFixer posted :

said by jmorlan:

I am confused. I am configured to use my ISPs DNS servers which my modem reports as follows:

68.94.156.1 dnsr1.sbcglobal.net
68.94.157.1 dnsr2.sbcglobal.net

However »www.doxpara.com/ reports

quote:
Your name server, at 69.227.255.25, appears vulnerable to DNS Cache Poisoning.

That name server resolves to dnsnode14.pltnca.sbcglobal.net

Where did they get that? Am I really vulnerable?

I don't know why they used that DNS server (or why they seemed to chose a random Level3 server for my initial test), but at least that one does belong to your ISP. Possibly they simply look at your IP address, and make their best guess as to the DNS server that you are using.

As to being vulnerable, possibly you are, but there may be nothing you can do about it until the DNS server(s) that you are using are updated. Since OpenDNS claims that their servers are not vulnerable, you might temporarily change to OpenDNS and rerun the test to see what results you get.

EDIT:
I think that the DNS servers you are using are the AT&T/SBC Anycast DNS servers, which means that they automatically redirect to the nearest actual DNS server to your location. It also explains the seeming anomaly I initially saw. I had forgotten the I had recently changed the config on my DNS server to forward to the Level3 Anycast DNS servers 4.2.2.4 and 4.2.2.6 in order to speed up non-cached lookups.

My own testing indicated that once I applied the DNS patch to my local Windows 2000 DNS server (and also stopped forwarding to Level3), that test stopped indicating that I was vulnerable:


Your name server, at 74.245.184.227, appears to be safe.
--------------------------------------------------------
Requests seen for f28e9d63f913.toorrr.com:
74.245.184.227:62372 TXID=56426
66.134.0.234:49850 TXID=10039
74.245.184.227:62276 TXID=13749
66.134.0.234:54707 TXID=36922
74.245.184.227:56975 TXID=52462 
 
========================================================
 
Your name server, at 66.134.0.234, appears to be safe.
------------------------------------------------------
Requests seen for 6863623814ca.toorrr.com:
66.134.0.234:51416 TXID=7057
74.245.184.227:63852 TXID=41403
66.134.0.234:57716 TXID=5083
74.245.184.227:64534 TXID=58858
66.134.0.234:55293 TXID=11753

--
History does not long entrust the care of freedom to the weak or the timid.
-- Dwight D. Eisenhower
Test your firewall.
Smell the flowers.

Re: Internet flaw could let hackers take over the Web

Wed, 09 Jul 2008 05:54:46 EDT

jmorlan posted :

said by NetFixer:

If you are referring to the test at »www.doxpara.com/ then that test doesn't necessarily check your ISP DNS servers, or your configured DNS servers.

I am confused. I am configured to use my ISPs DNS servers which my modem reports as follows:

68.94.156.1 dnsr1.sbcglobal.net
68.94.157.1 dnsr2.sbcglobal.net

However »www.doxpara.com/ reports

quote:
Your name server, at 69.227.255.25, appears vulnerable to DNS Cache Poisoning.

That name server resolves to dnsnode14.pltnca.sbcglobal.net

Where did they get that? Am I really vulnerable?
--
"One can never know for sure what a deserted area looks like." (George Carlin)

Re: Internet flaw could let hackers take over the Web

Wed, 09 Jul 2008 05:51:33 EDT

Doctor Olds posted : 209.244.5.146 is the DNS it reported for me (Which is not my ISPs DNS as seen by my Router of 207.69.188.185, 207.69.188.186), but my system shows I am using 4.2.2.1 and 4.2.2.2 clearly:

quote:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\XXXXXXXXX>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : XXXXXXXXX
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.invalid

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : domain.invalid
Description . . . . . . . . . . . : NVIDIA nForce Networking Controller
Physical Address. . . . . . . . . : 00-00-00-00-00-00
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.254.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.254.254
DHCP Server . . . . . . . . . . . : 192.168.254.254
DNS Servers . . . . . . . . . . . : 4.2.2.1
4.2.2.2
NetBIOS over Tcpip. . . . . . . . : Disabled
Lease Obtained. . . . . . . . . . : Tuesday, July 08, 2008 10:33:41 PM
Lease Expires . . . . . . . . . . : Saturday, July 12, 2008 6:33:41 AM

--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time?

Re: Internet flaw could let hackers take over the Web

Wed, 09 Jul 2008 04:17:16 EDT

DiscardedVet posted : Hmm, the DNS server my ISP uses is in fact what doxpara reports me as using, and does say it is vulnerable.

I can only assume I should be attentive of this. Are there any steps the end-user can take on the side of caution? Besides changing where my box DNS goes, as I haven't foud one that seems to be as quick as my ISP's, actually quite a notcable difference when using ones posted within BBR.

--
Bush is the Prez....
Think Patriot Act II....
This outspoken dissident....
In jail I'll be soon.

Re: Internet flaw could let hackers take over the Web

Wed, 09 Jul 2008 02:25:45 EDT

NetFixer posted :

said by scelli:

Are you saying the problem lies at my ISP's level? I'm a bit lost with this whole thing, so any help would be mucho appreciated.

TIA!

If you are referring to the test at »www.doxpara.com/ then that test doesn't necessarily check your ISP DNS servers, or your configured DNS servers. It said I was using 209.244.5.147, which does not belong to either of my ISPs, and I do my own DNS resolution using the root servers to sync my local DNS servers.

EDIT:
After applying the DNS patch to my Windows 2000 server, the »www.doxpara.com/ no longer flags my DNS server as vulnerable. I don't know where they got the IP address 209.244.5.147 on my initial test, but it appears that even though they may report a bogus DNS server IP address, the basic test itself may be valid.
--
History does not long entrust the care of freedom to the weak or the timid.
-- Dwight D. Eisenhower
Test your firewall.
Smell the flowers.

Re: Internet flaw could let hackers take over the Web

Tue, 08 Jul 2008 23:55:52 EDT

scelli posted : Are you saying the problem lies at my ISP's level? I'm a bit lost with this whole thing, so any help would be mucho appreciated.

TIA!
--
The maximum effective range of an excuse is ZERO meters!

Re: Internet flaw could let hackers take over the Web

Tue, 08 Jul 2008 23:49:38 EDT

Cabal posted :

said by scelli:

Found this, which many of you may have already seen:

»www.microsoft.com/technet/securi···037.mspx

According to the article, neither 32 or 64 bit Vista SP1 are affected. I'm running Ultimate 32, so wonder how come I failed the test for DNS poising???

The page in question doesn't test your local resolver, it tests your DNS server.
--
Would you trust a brain surgeon with two years' experience?

Re: Internet flaw could let hackers take over the Web

Tue, 08 Jul 2008 23:34:26 EDT

scelli posted : Found this, which many of you may have already seen:

»www.microsoft.com/technet/securi···037.mspx

According to the article, neither 32 or 64 bit Vista SP1 are affected. I'm running Ultimate 32, so wonder how come I failed the test for DNS poising???
--
The maximum effective range of an excuse is ZERO meters!

Re: Internet flaw could let hackers take over the Web

Tue, 08 Jul 2008 23:32:28 EDT

MarkAW posted : I just went to the doxpara link and made it check my DNS server and the IP it came back with was a Verison server IP which doxpara says my dns name server appears vulnerable to DNS Cache Poisoning. :huh:
--
Advertising is legalized lying. - H.G. Wells
Pleasure in the job puts perfection in the work. - Aristotle

Re: Internet flaw could let hackers take over the Web

Tue, 08 Jul 2008 23:26:20 EDT

Owlbet posted : This is just weird. All during the holiday weekend I fought connectivity problems. My modem kept grabbing new IPs for no reason. My ISP wanted to blame it on me, my computers, my router, the weather, the dog, etc without just once, acknowledging they may be the problem. When I eliminated the router and plugged the computer directly into the modem for a 24 hour period, I still had connectivity problems. It was during this time that I (for grins) eliminated my ISP's DNS servers and instead began using OpenDNS's servers.

I never did get an answer on my connectivity problems over the weekend and the problem has cleared up on its own.

When I go to doxpara.com, it says my DNS name server is not vulnerable to cache poisoning. :)
--
Team Discovery

Re: Internet flaw could let hackers take over the Web

Tue, 08 Jul 2008 23:21:33 EDT

mouse posted : According to OpenDNS their servers are not affected and have not been affected prior to the notification:

»blog.opendns.com/2008/07/08/open···ure-dns/

Re: Internet flaw could let hackers take over the Web

Tue, 08 Jul 2008 23:18:43 EDT

scelli posted : Same here as far as my DNS name server being vulnerable according to that website, though I successfully installed all available WU updates for Vista Ultimate this afternoon.
--
The maximum effective range of an excuse is ZERO meters!

Re: Internet flaw could let hackers take over the Web

Tue, 08 Jul 2008 22:11:27 EDT

pepperxn posted : same here. it reported the isp's dns server, not the one that I have setup.

Re: Internet flaw could let hackers take over the Web

Tue, 08 Jul 2008 22:02:19 EDT

FiOS Dan posted :

said by mikenolan7:

Has anyone else tried the www.doxpara.com link to check their DNS? It would not work for me with Opera, even with site preferences set to allow Java and Javascript.

It just worked for me with Opera 9.51 and, saints be praised, for some reason it says that my name server "appears to be safe." I say "for some reason" because I have not installed any patches today. :)
--
Courage is being scared to death but saddling up anyway.

Re: Internet flaw could let hackers take over the Web

Tue, 08 Jul 2008 21:45:46 EDT

mikenolan7 posted : Has anyone else tried the www.doxpara.com link to check their DNS? It would not work for me with Opera, even with site preferences set to allow Java and Javascript. With Firefox, it worked after I allowed doxpara.com and toorrr.com in NoScript. But it reported on my ISP's DNS server, not the one I have hardwired into resolv.conf.

Re: Internet flaw could let hackers take over the Web

Tue, 08 Jul 2008 21:09:10 EDT

Cabal posted : Additionally: Massive, Coordinated Patch To the DNS Released
--
Would you trust a brain surgeon with two years' experience?

Re: Internet flaw could let hackers take over the Web

Tue, 08 Jul 2008 20:52:41 EDT

ranschultz posted : See this thread for some of the effects of these fixes.

Internet flaw could let hackers take over the Web

Tue, 08 Jul 2008 20:47:19 EDT

Tuneraider posted : Computer industry heavyweights are hustling to fix a flaw in the foundation of the Internet that would let hackers control traffic on the World Wide Web.

Major software and hardware makers worked in secret for months to create a software "patch" released on Tuesday to repair the problem, which is in the way computers are routed to web page addresses.
»news.yahoo.com/s/afp/usitinterne···arecrime

When i go to »www.doxpara.com it says my dns name server appears vulnerable to DNS Cache Poisoning.