OZO
Premium
join:2003-01-17
edit:
July 10th, @12:45AM
|  DNS checker reboots ZyWALL
Tried many times DNS checker from this site - DoxPara Research (mentioned in this thread - Internet flaw could let hackers take over the Web) and every time my ZyWALL 5 rebooted. What's the heck?
I run the test with IE (or FireFox, yielding the same result) from WXP computer. It's DHCP client, which is getting DNS, pointing to ZyWALL.
Can anybody confirm it?
ZyWALL 5:
Bootbase Version V1.08 | 01/28/2005
Firmware Version V4.04(XD.0) | 03/28/2008
--
Keep it simple, it'll become complex by itself... |
|
MVS
Premium
join:2005-04-18 | I noticed the same problem on a ZyWALL 2 Plus using the latest firmware (V4.04(XU.1)) when using its IP as my DNS server. |
|
dslpartner
join:2005-02-18 | reply to OZO
Contact ZyXEL and tell them about the bug, until then try to set static dns servers on your hosts, instead of using the DNS proxy in the device.
--
"Perl is executable line noise, Python is executable pseudo-code." |
|
OZO
Premium
join:2003-01-17 | reply to OZO
Thank you, guys, for confirmation! |
|
bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
clubs:
edit:
July 14th, @04:42PM
| reply to OZO
No problems here on USG300 but that is likely because I'm running djbdns as dns cache on my LAN, and not using any DNS on the ZyWALL USG300.
Unlike BIND and Microsoft DNS the djbdns dns cache has *never* been vulnerable to this exploit, and is credited with identifying the dns system design flaw and fix many years ago. |
|
smurflurf
join:2007-12-18
Whittier, CA | reply to OZO
I tried with a ZyWALL 5 and 2+, both running 4.04 firmware and it does reboot the unit... Just tried it for the fun of it, don't usually setup ZyWALL's as DNS proxy... |
|
OZO
Premium
join:2003-01-17
| Thank you for checking.
I found that using ZW as a local DNS server (actually a proxy, but somehow advanced) is beneficial because:
1) I turn off NetBIOS on all local computers and run network without this old chatty protocol;
2) instead of maintaining hosts files on all computers I use ZW to keep all name resolutions for the LAN.
It's easy to add local host names and their corresponding IPs via Advanced | DNS | System | Address Record assignments. Try it and you won't need to change hosts files on all computers anymore. |
|
bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
clubs: | I've setup my USG300 as DNS proxy for one LAN computer, then pointed computer's browser at the DNS checker and it didn't reboot the USG300. |
|
OZO
Premium
join:2003-01-17 | What firmware version does it have?
This info could be interesting for further investigation. |
|
dslpartner
join:2005-02-18
| said by OZO  :What firmware version does it have? This info could be interesting for further investigation. Its not even the same os, USG uses ZLD which is Linux based and older ZyWALL uses ZyNOS which is based on something else. |
|
bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
clubs: | reply to OZO
USG series is Unix/Linux based ("ZLD") and uses BIND.
The zw5/35/70 series use the proprietary Zyxel ZyNOS operating system and unknown DNS proxy implementation (likely proprietary). |
|
OZO
Premium
join:2003-01-17
| reply to OZO
I've just tested the new FW version V4.04(XD.1) | 06/26/2008 and the result is the same - ZyWALL router crashes and reboots after receiving 4 UDP packets of DNS requests from my computer. 
--
Keep it simple, it'll become complex by itself... |
|
jig
join:2001-01-05
Hacienda Heights, CA
 ·Verizon west (ex G..
| reply to OZO
this is interesting.
there was once a time when i was getting some issue with my z5 rebooting randomly, and i thought it had something to do with resolving lots of ips at once. couldn't ever nail it down.
--
Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam. |
|
jamesv
Premium
join:2003-03-08
Austin, TX
| reply to bbarrera
said by bbarrera :Unlike BIND and Microsoft DNS the djbdns dns cache has *never* been vulnerable to this exploit, and is credited with identifying the dns system design flaw and fix many years ago. ISC and others seem to believe the problem is in the protocol not any particular cache software. ISC believes no software change is a complete fix but instead just makes the attack harder and that DNSSEC is the only complete solution.
If you're running djbdns behind a ZyWall whose NAT is remapping ports then the ZyWall may be undoing some of djbdns' security by making the DNS query ports predictable. |
|
bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
clubs: | DNS protocol was not designed to be secure but that doesn't excuse BIND from ignoring for many years a well known implementation technique that would reduce chance for cache poisoning. |
|
jamesv
Premium
join:2003-03-08
Austin, TX
| said by bbarrera :DNS protocol was not designed to be secure but that doesn't excuse BIND from ignoring for many years a well known implementation technique that would reduce chance for cache poisoning. I've now read a writeup of the problem and it has nothing to do with the coding, bind, or such.
But even with the bind or djbdns fixes it isn't safe to have a DNS cache behind a ZyWall until ZyXel fixes the NAT - ZyXel undoes the DNS fixes and leaves a cache as unsafe as if it had never been patched in the first place.
(the writeup I saw required that the attacker be able to send queries to the cache, which can be blocked. But I think it is also possible to get those queries made by poisoning a web site so that a browser on the "inside" does the queries to the cache which will be attacked - just blocking incoming DNS queries isn't good enough). |
|
dslpartner
join:2005-02-18 | Anybody tried to tell ZyXEL about this, if yes, what was the answer?
--
"Perl is executable line noise, Python is executable pseudo-code." |
|
OZO
Premium
join:2003-01-17 | I suppose fix will be in the next firmware release. |
|
jamesv
Premium
join:2003-03-08
Austin, TX
| Well, after a little more thought I realized the writeup I got isn't it either - that can be addressed in code on the cache (percentages made very low). So it's something else...
But predictable port numbers doesn't seem like a good idea for a firewall on general principles, and a "short-circuit" in the NAT port remapper to use the LAN source port if free on the WAN side seems unlikely to take long to implement or test and has a low chance of breakage. |
|
dslpartner
join:2005-02-18
| reply to OZO
said by OZO :I suppose fix will be in the next firmware release. Based on what? |
|
