how-to block ads
|
SUMware
Premium
join:2002-05-21
4 edits | Exploit Code for Kaminsky DNS Bug Goes Wild From The Register
24th July 2008 - quote:
Security researchers have developed two working exploits that poison vulnerable domain name system servers, allowing attackers to redirect unwitting end users to impostor sites. What's more, the attack code has been added to Metasploit, a penetration testing tool used to test the security of computers and networks. The program, which is maintained by HD Moore, makes it easy for white hats and black hats alike to exploit vulnerable servers.
Some people have complained that Kaminsky's bug has been shamelessly hyped. We disagree. Should there be widespread exploitation of the flaw, the result would be chaos. Attackers could taint the machines relied on by millions of people. When they typed bankofamerica.com into their browser, they'd have no way of knowing whether they were being directed to the real site or one designed to steal their money. Trust on the internet, as flawed as it may be now, would completely break down.
Much of the attack code was written by |)ruid, a researcher from the Computer Academic Underground. According to Moore, it could be used like this:1. Bad Guy probes the target DNS to see if it's vulnerable (a couple free services can do this)
2. Bad Guy picks a domain they want to hijack for users of that DNS Server
3. Bad Guy runs the bailiwicked_domain module and takes control of that domain in the cache of that server At this point, anyone who uses that vulnerable DNS server is going to see the wrong DNS server record for the poisoned domain
The exploits are available here and here.
Currently, the exploits work only on caching servers used by ISPs and other large organizations, but Moore said they could be modified to work against client-side resolvers, which are used on desktop machines.
To test if your ISP's nameservers are vulnerable to this type of attack visit:
»https://www.dns-oarc.net/oarc/services/dnsentropy
- and -
»www.doxpara.com/ (click the button that says "check my DNS") | |
|  
NetWatchMan
Premium,VIP
join:2001-03-13
Alpharetta, GA
| Re: Exploit code for Kaminsky DNS Bug Goes WildPlease...take the time to understand the implications of this issue...they are profound and represent the most serious and widespread security issue to impact the Internet to date:
»www.informationweek.com/newslett···09401195
In a nutshell, until your ISP has patched their DNS servers, you can no longer trust that your ISP will resolve DNS name (e.g. 'yourbank.com') correctly. Criminals can now hijack any domain name they want and draw your traffic to sites they control...thus you THINK you have surfed to your bank's website, but you are really talking to a server in Russia.
Until you know that your ISPs DNS servers have been patched, I would advise that everyone NOT utilize any web server of a sensitive nature (e.g. online banking, paypal, online retailer, etc..).
Please...as many people as possible...especially if your on a less mainstream ISP...please run Dan's tester:
»www.doxpara.com/
See: DNS Checker button in upper right
In addition to giving you valuable information, it will flag your ISPs DNS servers as vulnerable (if they are) in Dan's database...Dan is then providing a feed through Oarc and myNetWatchman (me) and I'm sending out notifications to all the ISPs with these vulnerable servers.
I just finished sending out 10,000 notices this afternoon covering more DNS servers than I care to comment on.
Unfortunately, I suspect this problem is going to exist for YEARS as many smaller ISPs will just not get the severity of this problem and leave their users exposed.
I would also encourage everyone how can to please take some time to educate others you know about this issue who might be less technically inclined.
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch | |
| | 
FiOS Dan
Premium
join:2001-07-06
Redondo Beach, CA
 ·Verizon FIOS
| Re: Exploit code for Kaminsky DNS Bug Goes Wild said by NetWatchMan  :Unfortunately, I suspect this problem is going to exist for YEARS as many smaller ISPs will just not get the severity of this problem and leave their users exposed. Am I correct in thinking that this will create a major vulnerability for road warriors and their laptops?
--
Courage is being scared to death but saddling up anyway.
| |
| | | | | | |
FiOS Dan
Premium
join:2001-07-06
Redondo Beach, CA
·Verizon FIOS
| Re: Exploit code for Kaminsky DNS Bug Goes Wild Thanks for the reply NetFixer. What I was referring to is the case where a road warrior's internet access is via a hotel or airport WiFi whose router DNS settings would override his or her laptop's. Is this not the case?
--
Courage is being scared to death but saddling up anyway.
| |
| | | | | 
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
 ·AT&T Southeast
 ·Vonage
 ·Cingular Wireless
·AT&T CallVantage
3 edits | Re: Exploit code for Kaminsky DNS Bug Goes Wildsaid by FiOS Dan :Thanks for the reply NetFixer. What I was referring to is the case where a road warrior's internet access is via a hotel or airport WiFi whose router DNS settings would override his or her laptop's. Is this not the case? No, If you manually enter the DNS servers in the TCPIP properties for the WiFi card, that is what will be used. I showed a picture of my desktop PC's NIC, but the same setup and principle would apply for a WiFi card. Here are sample ipconfig /all and nslookup www.yahoo.com commands for several different scenarios that I just made from a foreign WiFi connection to illustrate my point:
This is using the default settings for a foreign WiFi connection:
(in this case it is safe because Comcast has updated their DNS, but of course, that would not always be the case)
C:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : RWS-6325
Primary Dns Suffix . . . . . . . : dcs-net.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : dcs-net
dcs-net.net
Ethernet adapter Local Area Connection 2:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Bluetooth PAN Network Adapter
Physical Address. . . . . . . . . : 00-11-E0-02-F6-D6
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
Physical Address. . . . . . . . . : 00-17-A4-E3-E7-CF
Ethernet adapter Wireless Network Connection:
Connection-specific DNS Suffix . : hsd1.tn.comcast.net.
Description . . . . . . . . . . . : Broadcom 802.11b/g WLAN
Physical Address. . . . . . . . . : 00-1A-73-67-2C-DC
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.104
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 68.87.68.162
68.87.74.162
68.87.64.196
Lease Obtained. . . . . . . . . . : Friday, July 25, 2008 10:31:56
Lease Expires . . . . . . . . . . : Saturday, July 26, 2008 10:31:56
C:\>nslookup www.yahoo.com
Server: cns.s3woodstock.ga.atlanta.comcast.net
Address: 68.87.68.162
Non-authoritative answer:
Name: www.yahoo-ht3.akadns.net
Address: 69.147.76.15
Aliases: www.yahoo.com
*** You will note that in this case the WiFi connection's DNS was used. ***
This is using a manually entered known good set of public DNS servers:
C:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : RWS-6325
Primary Dns Suffix . . . . . . . : dcs-net.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : dcs-net
dcs-net.net
Ethernet adapter Local Area Connection 2:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Bluetooth PAN Network Adapter
Physical Address. . . . . . . . . : 00-11-E0-02-F6-D6
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
Physical Address. . . . . . . . . : 00-17-A4-E3-E7-CF
Ethernet adapter Wireless Network Connection:
Connection-specific DNS Suffix . : hsd1.tn.comcast.net.
Description . . . . . . . . . . . : Broadcom 802.11b/g WLAN
Physical Address. . . . . . . . . : 00-1A-73-67-2C-DC
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.104
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 4.2.2.4
4.2.2.6
Lease Obtained. . . . . . . . . . : Friday, July 25, 2008 10:39:15
Lease Expires . . . . . . . . . . : Saturday, July 26, 2008 10:39:15
C:\>nslookup www.yahoo.com
Server: vnsc-pri-dsl.genuity.net
Address: 4.2.2.4
Non-authoritative answer:
Name: www.yahoo-ht3.akadns.net
Address: 69.147.76.15
Aliases: www.yahoo.com
*** You will note that in this case the manually entered public DNS was used. ***
This is using the manually entered company's publicly visible DNS servers:
C:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : RWS-6325
Primary Dns Suffix . . . . . . . : dcs-net.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : dcs-net
dcs-net.net
Ethernet adapter Local Area Connection 2:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Bluetooth PAN Network Adapter
Physical Address. . . . . . . . . : 00-11-E0-02-F6-D6
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
Physical Address. . . . . . . . . : 00-17-A4-E3-E7-CF
Ethernet adapter Wireless Network Connection:
Connection-specific DNS Suffix . : hsd1.tn.comcast.net.
Description . . . . . . . . . . . : Broadcom 802.11b/g WLAN
Physical Address. . . . . . . . . : 00-1A-73-67-2C-DC
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.104
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 66.134.0.234
74.245.184.227
Lease Obtained. . . . . . . . . . : Friday, July 25, 2008 11:11:09
Lease Expires . . . . . . . . . . : Saturday, July 26, 2008 11:11:09
C:\>nslookup www.yahoo.com
Server: dcs-net.net
Address: 66.134.0.234
Non-authoritative answer:
Name: www.yahoo-ht3.akadns.net
Address: 69.147.76.15
Aliases: www.yahoo.com
*** You will note that in this case the manually entered company DNS was used. ***
This is using a PPTP VPN connection to the company network:
C:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : RWS-6325
Primary Dns Suffix . . . . . . . : dcs-net.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : dcs-net
dcs-net.net
Ethernet adapter Local Area Connection 2:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Bluetooth PAN Network Adapter
Physical Address. . . . . . . . . : 00-11-E0-02-F6-D6
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
Physical Address. . . . . . . . . : 00-17-A4-E3-E7-CF
Ethernet adapter Wireless Network Connection:
Connection-specific DNS Suffix . : hsd1.tn.comcast.net.
Description . . . . . . . . . . . : Broadcom 802.11b/g WLAN
Physical Address. . . . . . . . . : 00-1A-73-67-2C-DC
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.104
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 68.87.68.162
68.87.74.162
68.87.64.196
Lease Obtained. . . . . . . . . . : Friday, July 25, 2008 10:46:58
Lease Expires . . . . . . . . . . : Saturday, July 26, 2008 10:46:58
PPP adapter DCS Enterprises:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.10.201
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 192.168.10.201
DNS Servers . . . . . . . . . . . : 192.168.10.1
C:\>nslookup www.yahoo.com
*** Can't find server name for address 68.87.68.162: Query refused
*** Can't find server name for address 68.87.74.162: Query refused
*** Can't find server name for address 68.87.64.196: Query refused
Server: dcs-gw1.dcs-net
Address: 192.168.10.1
Non-authoritative answer:
Name: www.yahoo-ht3.akadns.net
Address: 69.147.76.15
Aliases: www.yahoo.com
*** You will note that even though the notebook attempted to use the WiFi connection's DNS first, the company's firewall prevented access and used its own DNS. ***
This is using an IPSEC VPN connection to company network:
C:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : RWS-6325
Primary Dns Suffix . . . . . . . : dcs-net.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : dcs-net
dcs-net.net
Ethernet adapter Local Area Connection 2:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Bluetooth PAN Network Adapter
Physical Address. . . . . . . . . : 00-11-E0-02-F6-D6
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
Physical Address. . . . . . . . . : 00-17-A4-E3-E7-CF
Ethernet adapter Wireless Network Connection:
Connection-specific DNS Suffix . : hsd1.tn.comcast.net.
Description . . . . . . . . . . . : Broadcom 802.11b/g WLAN
Physical Address. . . . . . . . . : 00-1A-73-67-2C-DC
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.104
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.10.1
68.87.68.162
68.87.74.162
68.87.64.196
Lease Obtained. . . . . . . . . . : Friday, July 25, 2008 10:55:11
Lease Expires . . . . . . . . . . : Saturday, July 26, 2008 10:55:11
C:\>nslookup www.yahoo.com
Server: dcs-gw1.dcs-net
Address: 192.168.10.1
Non-authoritative answer:
Name: www.yahoo-ht3.akadns.net
Address: 69.147.76.15
Aliases: www.yahoo.com
*** You will note that in this case the company's DNS was used first, so the WiFi connection's DNS did not come into play. ***
There is almost always more than one way to accomplish the same task; in this case, ensuring a safe DNS source even when on the road.
As a control sample, this is what a WiFi connection to my office LAN looks like:
C:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : RWS-6325
Primary Dns Suffix . . . . . . . : dcs-net.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : dcs-net
dcs-net.net
Ethernet adapter Local Area Connection 2:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Bluetooth PAN Network Adapter
Physical Address. . . . . . . . . : 00-11-E0-02-F6-D6
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
Physical Address. . . . . . . . . : 00-17-A4-E3-E7-CF
Ethernet adapter Wireless Network Connection:
Connection-specific DNS Suffix . : dcs-net
Description . . . . . . . . . . . : Broadcom 802.11b/g WLAN
Physical Address. . . . . . . . . : 00-1A-73-67-2C-DC
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.10.68
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.1
DHCP Server . . . . . . . . . . . : 192.168.10.1
DNS Servers . . . . . . . . . . . : 192.168.10.2
192.168.10.1
Primary WINS Server . . . . . . . : 192.168.10.2
Lease Obtained. . . . . . . . . . : Friday, July 25, 2008 11:28:15
Lease Expires . . . . . . . . . . : Monday, July 28, 2008 11:28:15
C:\>nslookup www.yahoo.com
Server: dcs-srv.dcs-net.net
Address: 192.168.10.2
Non-authoritative answer:
Name: www.yahoo-ht3.akadns.net
Address: 69.147.76.15
Aliases: www.yahoo.com
--
We can never have enough of nature.
We need to wit ness our own limits transgressed, and some life pasturing freely where we never wander.Test your firewall. | |
| | | | | |
FiOS Dan
Premium
join:2001-07-06
Redondo Beach, CA |  Re: Exploit code for Kaminsky DNS Bug Goes Wild
--
Courage is being scared to death but saddling up anyway.
| |
| | SUMware
Premium
join:2002-05-21
1 edit | said by NetWatchMan :Please...take the time to understand the implications of this issue...they are profound and represent the most serious and widespread security issue to impact the Internet to date: I would also encourage everyone how can to please take some time to educate others you know about this issue who might be less technically inclined. Thank you for the added emphasis. I've already emailed my contacts, explaining this situation. If ISP servers test vulnerable, a currently viable mitigation is to consider using OpenDNS. | |
| | | SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Hilo, HI
 ·RoadRunner Cable
| Re: Exploit code for Kaminsky DNS Bug Goes Wild said by SUMware :...consider using OpenDNS. Do you have the DNS IP address that I can put into my router ?
--
I spent most of my money on Women and Beer, and the rest I just wasted ! | |
| | | | 
Rogue Wolf
Is Kind Of A Big Deal In Yemen
join:2003-08-12
Troy, NY
·RoadRunner Cable
| Re: Exploit code for Kaminsky DNS Bug Goes Wild said by SipSizzurp :Do you have the DNS IP address that I can put into my router ? There's two.
208.67.222.222
208.67.220.220
The site will have a guide on how to change your router's settings to do this, if necessary.
--
Four gods wait on a windowsill,
Where once eight gods did war and will.
And if the gods themselves may die,
What does that say for you and I? | |
| | | | | SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Hilo, HI | Re: Exploit code for Kaminsky DNS Bug Goes Wild Thanks ! I know several commercial customers that use Road Runner. These will be handy.
--
I spent most of my money on Women and Beer, and the rest I just wasted ! | |
| | | 
Sparrow
Crystal Sky
Premium
join:2002-12-03
Sachakhand
| said by SUMware :said by NetWatchMan :Please...take the time to understand the implications of this issue...they are profound and represent the most serious and widespread security issue to impact the Internet to date: I would also encourage everyone how can to please take some time to educate others you know about this issue who might be less technically inclined. Thank you for the added emphasis. I've already emailed my contacts, explaining this situation. If ISP servers test vulnerable, a currently viable mitigation is to consider using OpenDNS. SUMware and NetWatchMan , thank you very much for the link to OpenDNS and emphasizing the seriousness of this latest exploit.
I will also encourage anyone having not "great" reports at either of the sites listed below to do the same. I have sent numerous e-mails out explaining the configuration is easy enough for the not-so computer savvy and explained they should write down their current router settings in case OpenDNS does not work or they err in configuration.
said by SUMware :To test if your ISP's nameservers are vulnerable to this type of attack visit: »» https:// www.dns-oarc.net/oarc/services/dnsentropy- and - »www.doxpara.com/ (click the button that says "check my DNS") I reset my router to OpenDNS and I went from 3 "Poor"s to 3 "Great"s and currently "safe." My provider is Verizon.
Excellent info in this thread. | |
| | |
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
·AT&T Southeast
·Vonage
·Cingular Wireless
·AT&T CallVantage
| said by SUMware :If ISP servers test vulnerable, a currently viable mitigation is to consider using OpenDNS. Another current alternative, if one does not want to jump through the hoops to set up an account at OpenDNS to get "vanilla" DNS without the filtering and redirecting, is to use the Level3 4.2.2.1, 4.2.2.2, 4.2.2.3, 4.2.2.4, 4.2.2.5, and 4.2.2.6 servers. They also currently pass the www.doxpara.com and www.dns-oarc.net tests.
I currently point to my local Win 2k server first, with fall backs to Level3, then OpenDNS (yes I use OpenDNS, but it was a PITA to setup with a load balancing router).
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. | |
| | | | SUMware
Premium
join:2002-05-21
1 edit | Re: Exploit code for Kaminsky DNS Bug Goes Wild said by NetFixer :if one does not want to jump through the hoops to set up an account at OpenDNS It is completely unnecessary to open an account at OpenDNS. I have never had one. Just use their IP addys and follow their instructions without opening an account.
OpenDNS states that creating an account is optional. | |
| | | | |
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
·AT&T Southeast
·Vonage
·Cingular Wireless
·AT&T CallVantage
1 edit | Re: Exploit code for Kaminsky DNS Bug Goes Wild said by SUMware :said by NetFixer :if one does not want to jump through the hoops to set up an account at OpenDNS It is completely unnecessary to open an account at OpenDNS. I have never had one. Just use their IP addys and follow their instructions without opening an account. OpenDNS states that creating an account is optional. Unnecessary and/or optional for you perhaps, but I require unfiltered unmodified DNS, and the only way to get that from OpenDNS is to create an account and register your IP addresses. If you do not open an account and register your IP addresses, OpenDNS has no way of knowing who you are to be able to apply your desired settings, and you will get their default filtering and redirection.
This filtering and redirection by my definition is actually poisoned DNS, which is what we are trying to avoid. The difference between the OpenDNS poisoning and poisoning by a malicious third party is intent, and of course the public declaration by OpenDNS that the DNS replies may indeed be modified unless you open an account and setup your own requirements to override their default settings.
Don't misunderstand my post here. OpenDNS is a great service, and many people can benefit from their filtering and redirection, but that same filtering and redirection can wreak havoc if you really need accurate, unfiltered, and unredirected DNS results.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. | |
| | | | | | SUMware
Premium
join:2002-05-21
| Re: Exploit code for Kaminsky DNS Bug Goes Wild said by NetFixer :I require unfiltered unmodified DNS, and the only way to get that from OpenDNS is to create an account and register your IP addresses. If you do not open an account and register your IP addresses, OpenDNS has no way of knowing who you are to be able to apply your desired settings, and you will get their default filtering and redirection. Understand.
I do not have the same requirements as you. Having no account, and OpenDNS' defaults, works fine for me. | |
| | | | |
Rogue Wolf
Is Kind Of A Big Deal In Yemen
join:2003-08-12
Troy, NY
·RoadRunner Cable
1 edit | said by SUMware :said by NetFixer :if one does not want to jump through the hoops to set up an account at OpenDNS It is completely unnecessary to open an account at OpenDNS. I have never had one. Just use their IP addys and follow their instructions without opening an account. OpenDNS states that creating an account is optional. I think what NetFixer is getting at is that to get "clean" DNS service (no redirects, etc) you have to sign up for an account. Which is alright with me- I don't have any programs or procedures that require that.
EDIT: Darn you, stop being so fast! 
--
Four gods wait on a windowsill,
Where once eight gods did war and will.
And if the gods themselves may die,
What does that say for you and I? | |
| | | | | | | | | 
spy1
Welcome to Amerika
Premium
join:2002-06-24
Charlotte, NC
| Thanks for the reminder about OpenDNS. I had thought that I was already using it (I was on the router before this upgraded, faster one from my ISP) - but after reading this I checked it just to be on the safe side and sure enough, I wasn't.
Went to both websites mentioned and found out that my ISP's DNS' failed. Re-set up OpenDNS and everything came out great.
Thanks. Pete | |
| B
Premium,MVM
join:2000-10-28
1 edit | Re: Exploit Code for Kaminsky DNS Bug Goes Wild Uh, guys, if the whole point is that DNS can no longer be trusted, and you're recommending things to people, does it make sense to direct them to sites by their DNS name?
You've referred above to:
»www.theregister.co.uk/2008/07/24···es_wild/
and
»caughq.org/main.html
and
»www.caughq.org/exploits/CAU-EX-2008-0003.txt
and
»www.caughq.org/exploits/CAU-EX-2008-0002.txt
and
»www.doxpara.com
and
»www.opendns.com
At this writing, unless my current DNS resolvers are being attacked, these latter two resolve to »157.22.245.20 and »208.67.219.99, respectively.
Insanely, sadly, and hilariously however, the Kaminsky Doxpara site appears to be on a shared host and cannot be accessed by IP address!
Oops, you got the default vhost. Call LC support.
If anyone knows how to access the Doxpara.com site by its web host's IP address as a customer sub-page or whatnot, perhaps they should mention it...
Edit: Equally distressingly, »https://www.doxpara.com/ (SSL) does not resolve either; at least that would have been a trustworthy way to access the URL. I haven't followed this vulnerability at all, but I assume a cert (that you verify) is still an easy way to allay one's fears?
-- B
--
In a realm outside causality and function | |
| SUMware
Premium
join:2002-05-21
2 edits | World's biggest ISPs drag feet on critical DNS patch From The Register
25th July 2008 - quote:
More than two weeks after security researchers warned of a critical defect in the net's address lookup system, some of the world's biggest internet service providers - including AT&T, BT, Time Warner and Bell Canada - have yet to install a patch inoculating their subscribers against attacks.
According to an informal survey of Register readers, 15 ISPs failed the "Check my DNS" test (see button to the right) on the website of researcher Dan Kaminsky, who discovered the bug. Now that attack code exploiting the vulnerability has been leaked into the wild, millions of subscribers are at risk of being silently redirected to impostor sites that try to install malware or steal sensitive information. Comcast and Plusnet were the only two ISPs we found that weren't vulnerable.
Subscribers of ISPs that are still vulnerable ought to hardwire an alternate DNS server into their operating system. We're partial to OpenDNS. They've been vulnerability free since at least July 8, when Kaminsky announced the bug.
Other ISPs that were reported vulnerable include: Skybroadband, Carphone Warehouse Broadband, Opal Telecom, T-Mobile, Videotron Telecom, Roadrunner, Orange, Enventis Telecom, Earthlink, Griffin Internet and Jazztel. Virgin Media, and Demon Internet were reported as potentially being vulnerable.
| |
| Libra
Premium
join:2003-08-06
USA
| Re: Exploit Code for Kaminsky DNS Bug Goes Wild | 
Warning re making a change |
I went to the VC Configuration page. Here's a screenshot of the PPPoE configuration.
I have 0.0.0.0. for the both of the DNS servers! Why do I have 0.0.0.0.? Can I put in the OpenDns numbers here? I don't want to lose my internet if this would be wrong. Also, if I can put the numbers in, would it require any other information since the IP Address and Gateway are also 0.0.0.0. - I have no idea what I would have to put there.
Also, when I clicked on the "help" area, I got a warning I'm also attaching.
I'd appreciate any help with this. Thank you.
Sincerely, Libra | |
| |
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
·AT&T Southeast
·Vonage
·Cingular Wireless
·AT&T CallVantage
1 edit | Re: Exploit Code for Kaminsky DNS Bug Goes Wild said by Libra :I need some help here. I have the Westell 2200 modem for Verizon... and saw that Crystal Sky put open dns into her router. I looked at the OpenDns page for the Westell modem, but it's different than mine. I went to the VC Configuration page. Here's a screenshot of the PPPoE configuration. I have 0.0.0.0. for the both of the DNS servers! Why do I have 0.0.0.0.? Can I put in the OpenDns numbers here? I don't want to lose my internet if this would be wrong. Also, if I can put the numbers in, would it require any other information since the IP Address and Gateway are also 0.0.0.0. - I have no idea what I would have to put there. Also, when I clicked on the "help" area, I got a warning I'm also attaching. I'd appreciate any help with this. Thank you. Sincerely, Libra Try putting the desired DNS server values in the place indicated for the DNS servers, and leave the IP Address and Gateway settings as 0.0.0.0. The 0.0.0.0 setting is used as a place keeper for the ISP/s DHCP/Authentication server to put in their assigned values. If you change the DNS values and it does not work, then simply log back into your DSL router and put the 0.0.0.0 values back. You can then go into the TCPIP properties page for the individual PCs and change the DNS Server values from automatic to the desired values. See my post here: »Re: Exploit code for Kaminsky DNS Bug Goes Wild to see how this is done.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. | |
| | | Libra
Premium
join:2003-08-06
USA
| Re: Exploit Code for Kaminsky DNS Bug Goes Wild Hi NetFixer!
Thank you so very much. I followed your advice regarding the modem and now both computers come up with Great! I appreciate your explaining to me what the zeros meant and how to undo my change if it didn't work.
I was very worried about this vulnerability and appreciate your help very much. 
Sincerely, Libra | |
| | |
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
·AT&T Southeast
·Vonage
·Cingular Wireless
·AT&T CallVantage
| Re: Exploit Code for Kaminsky DNS Bug Goes Wild said by Traxless :Last night, my AT&T DNS (DFW, Texas) did not pass the test at » https:// www.dns-oarc.net/oarc/services/dnsentropy. Early this morning, the same DNS addresses passed with a great rating. Something changed during the last 6 hours! Glad to hear that AT&T is slowly making progress. My latest tests with the AT&T SE servers as well as their global AnyCast servers indicate that those servers still have no random port capabilities. Considering that AT&T has had a few DNS server disasters in the past, you can understand why they are taking this slow incremental approach.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. | |
| | 
scelli
Native New Yorker
Premium
join:1999-08-07
USA
| said by Traxless :Last night, my AT&T DNS (DFW, Texas) did not pass the test at » https:// www.dns-oarc.net/oarc/services/dnsentropy. Early this morning, the same DNS addresses passed with a great rating. Something changed during the last 6 hours! Keep checking periodically. I've used the test a number of times in the last 48 hours and sometimes come up with a GREAT mark, sometimes with a POOR mark and sometimes a combo of both.
Who ever really knows with Ma Bell? BTW: I've had AT&T and have always had them all the way back to January of 1997 when the company was Southwestern Bell Internet Services.
--
The maximum effective range of an excuse is ZERO meters! | |
| 
sivran
Long Live The Suite
Premium
join:2003-09-15
Arlington, TX
clubs:
·RoadRunner Cable
| Please note the Level3 4.2.2.1-6 IPs are anycast, and will point to the nearest Level3 DNS server to you which may or may not be patched. NetFixer and others posted showing patched Level3 servers long before my local ones were.
If you put one or two of them in, check them. If unsafe switch to OpenDNS for a few days.
--
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon profitable cause... | |
| | | 
swhx7
Premium
join:2006-07-23
Elbonia
·RoadRunner Cable
2 edits | Can one of the gurus clarify how vulnerable clients are?
The discussion on www has mostly been about DNS servers, but the original notices said to patch clients too. There are patches for popular OS's, but routers rewrite ports as mentioned in another thread, and some of the routers are not patchable. Assuming the DNS servers are good, is the client then OK? It seems that an attack would still be possible by spamming bogus replies to a client behind an unpatched NAT device. | |
| | 
norwegian
Premium
join:2005-02-15
Outback
·WestNet Broadband
1 edit | Re: Exploit Code for Kaminsky DNS Bug Goes Wild said by swhx7 :The discussion on www has mostly been about DNS servers, but the original notices said to patch clients too. There are patches for popular OS's, but routers rewrite ports as mentioned in another thread, and some of the routers are not patchable. Assuming the DNS servers are good, is the client then OK? It seems that an attack would still be possible by spamming bogus replies to a client behind an unpatched NAT device. Yes would like this clarified. It is mentioned "every level" is affected by this.
Where is the support for routers? Will having the router act as a DNS server become a problem? According to the test, my ISP's DNS test's are clear, my O/S is patched.
There is a little mention on approach at one of your best sources but looking at that list doesn't give any confidence. Will simply not having a default password be enough? Or is the level lower down the chain and, yes it is a risk, and a new router/firmware is required?
A little was discussed briefly here
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke | |
| SUMware
Premium
join:2002-05-21
| From VNUnet
26 Jul 2008 - quote:
The first attacks to on the Kaminsky DNS vulnerability have been reported.
The attack was reported by a user named James Kosin to a Fedora Linux mailing list. Kosin posted a log which he said was gathered Thursday night. The attacker attempts to access the server's cache for entries to such sites as myspace, ebay and Wachovia.
| |
| 
timcuth
Braves Fan
Premium
join:2000-09-18
Pelham, AL
clubs:
·AT&T Southeast
| Until I went through this thread, I was using TreeWalk DNS and 127.0.0.1 as my primary DNS. I perceive this as "not safe" under the new threats so, after absorbing the info in this thread, I tried the recommended tests.
I am puzzled, because they both detected my static WAN IP address as my DNS server and determined it to be unsafe.
Anyway, I switched to OpenDNS as promary and secondary in both my PC TCP/IP protocol and my router's DNS setup. Now, both test sites deem my setup to be safe. I also registered at OpenDNS, but I'm unsure about dealing with all the custom settings. I changed a few of them that I feel comfortable with.
So, since my router now uses OpenDNS, do I need to update the TCP/IP config on the rest of the PC's in my home?
Tim
--
"Life is like this long line, except at the end there ain't no merry-go-round." - Arthur on The King of Queens
~ Project Hope ~ | |
| |
spy1
Welcome to Amerika
Premium
join:2002-06-24
Charlotte, NC
| Re: Exploit Code for Kaminsky DNS Bug Goes Wild I don't know if it really answers your question or not, but after I switched my router to OpenDNS, I checked my wifes' computer (connected by a LinkSys wireless card) at both links and it passed, too, without my having to do anything further.
Pete | |
| |
FiOS Dan
Premium
join:2001-07-06
Redondo Beach, CA
·Verizon FIOS
| said by timcuth :So, since my router now uses OpenDNS, do I need to update the TCP/IP config on the rest of the PC's in my home? Based upon the knowledgeable feedback I have received here at BBR the past couple of weeks timcuth I would say that your router settings trump the TCP/IP config in your PCs, so just set the latter to automatic.
--
Courage is being scared to death but saddling up anyway.
| |
| | | 
caffeinator
Coming soon to a cup near you..
Premium
join:2005-01-16
Spokane, WA | Re: Exploit Code for Kaminsky DNS Bug Goes Wild That's how my setup works, and so far so good.
OT, but perhaps not..I noticed there were several updates for IPcop recently too. | |
| | TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
| said by timcuth :Until I went through this thread, I was using TreeWalk DNS and 127.0.0.1 as my primary DNS. I perceive this as "not safe" under the new threats so, after absorbing the info in this thread, I tried the recommended tests. I am puzzled, because they both detected my static WAN IP address as my DNS server and determined it to be unsafe. Treewalk was acting as the server and actually doing the lookups.
said by timcuth :So, since my router now uses OpenDNS, do I need to update the TCP/IP config on the rest of the PC's in my home? Tim It depends on whether you have entered DNS servers, in the past, into the network configuration for those computers. If you have them set to obtain the DNS servers via DHCP then the computers are simply asking the router for the DNS servers and you are fine.
On a computer you either set the DNS server IPs manually, or you tell it to obtain them via DHCP. If you have set the IPs in the computer manually the computer will use the IPs you have set manually as the servers.
If you tell it to obtain them via DHCP, depending on the router, the router may pass the IP of the router or the IPs it has as DNS servers. (What those IPs are follows the same logic as with the computer, they can be set manually or obtained via DHCP.) As long as the computer is set to obtain DNS servers via DHCP then the computer will end up using the servers in the router.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore. | |
| | | |
timcuth
Braves Fan
Premium
join:2000-09-18
Pelham, AL
clubs: | Ok, I think I've got it. Thanks.
Tim | |
| 
KC_User
@swbell.net
| I made a batch file to switch the DNS servers over for the command prompt junky, as I am. Natually, use at your OWN RISK. OS: Win XP (sp-2), dns is hardcoded into the network settings, not obtained through DHCP. The batch file, as written, depends on the connection being named "Local Area Connection". In the file, I call certain DNS servers "gte" that I've seen referred to in this thread as "Level3".
Naturally, the batch file can be modified, and the underlying command, netsh, in combination with a batch file, can be used to script complete configuration of a network connection. In this case, this file deals with DNS only.
The file will have to be changed from .txt to .bat and in the path of your command prompt. My commmand prompt opens in the directory where my batch files are located. | |
| |
KC_User
@swbell.net
| Re: Exploit Code for Kaminsky DNS Bug Goes Wild Me thinks I posted too soon. I made changes to the file, added servers, and it seems to work fine on my XP machine. When a change is made, it takes effect at once, so I can click retest on the dns-oarc.net to see the changes. Should be useful for someone wanting to test a series of DNS servers for this vulnerability. | |
| 
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| For what it is worth considering I used a URL to get to the test site, it appears that Shaw in Calgary is 'Great' (I always rather liked Shaw). Now certainly he who controls DNS for the most part controls the internet, but lets put on our thinking caps (an exercise in thinking evil if you may) and see if we can think of another way to do this, without actually owning someone else's DNS server. Remember the internet is based on 30+ year technology where the goal wasn't security, but actually just making it work so there are so many assumptions involved in the internet its enough to fill the heart of any hacker with glee.
Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool | |
| |
norwegian
Premium
join:2005-02-15
Outback
·WestNet Broadband
| Re: Exploit Code for Kaminsky DNS Bug Goes Wild That is what I get at my end, so that is good then.
Because I'm back to the question no one seems to have gotten close to yet. Can someone explain this to me in layman terms.
To me here it seems to be a cure on randomization of ports?
I remember this topic by Daniel that, to me isn't all that different, maybe totally different topic, but there is a very distinct pattern in that is this;
There is a set number of ports, set patterns etc, but to randomize them is only to defer from conforming to using certain blocks for only certain behaviours and thus restricting your practices and limiting options. But as a layer, it is good, better odds for no getting infected. But as mentioned though not to be used as the main layer. What is it about DNS that makes it easy to poison? Why has this not become resolved why hasn't a system been made to counter this.
Now after my ramble, what else is different about this, other than extending port range and random process. If that's my first line of defense, well, what can you say.... Not sure why this exploit has me feeling apprehensive, even though it is just another patched hole!?
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke | |
| | | | | | |
norwegian
Premium
join:2005-02-15
Outback
·WestNet Broadband
| Re: Exploit Code for Kaminsky DNS Bug Goes Wild quote:
Here is the explanation as best as I can understand it. The "fix" to DNS servers is not really a fix. The exploit is still possible, but with a much smaller (millions of times smaller) chance of success.
It is mentioned port 53 for DNS as being an issue because the port is known. Is it because of inherent design? If so firmware updates are how easy for this? I doubt my router is even supported any more, even though the company at the time, supplied a great service on making sure I recieved the security update firmware it needed. As I asked about the use of a router doing DNS lookup to the ISP's DNS server's and if there was a flaw it seems there may be then. It was noted Microsoft did the O/S level in a patch with last updates.
If only there was a way to check the IP's at all levels including your router; as it seems by comments of the site, people are asking already but there isn't anything available at present, unless I'm missing a setting I don't know about. Then that isn't hard some days.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke | |
| B
Premium,MVM
join:2000-10-28
| Looks like the researcher has answered my IP address question, but in a strange way. Rather than admitting "I'm too cheap to pay for dedicated hosting", he writes:
To Answer A Couple Of Questions
Some people would like to have the IP address of www.doxpara.com, so that if their DNS server is compromised, they can still find out if it’s vulnerable (the theory being, if it’s compromised, it won’t actually go to Doxpara).
Here’s the problem: I’m watching you look up Doxpara’s names. That’s how I can see what ports you’re using! If you don’t use DNS to find Doxpara, I can’t watch you finding Doxpara, and thus I can’t tell you if you’re always using the same ports.
Also, people want to have the ability to ask for a particular name server to be tested. My problem here is that I probably don’t have access to your name server, except through you — so I need your web browser to poke your name server to look up a name from me. Then, and only then, can I tell you if there’s a problem.
Finally. some people think that if their name server only accepts requests from Internet IP’s, it’s safe. No. As alluded to in the last paragraph, I may not have access to your nameserver, but your browser does, and I do have access to your browser.
So, in conclusion: Patch, and verify the patch is working (NATs continue to be a headache). If it’s not working, forward to something that is. OpenDNS has capacity to spare. Uh, so his site couldn't accept a connection by IP address and then test via further DNS queries? At least one of us is not as smart and/or honest as he or she thinks he or she is. (Yeah, it's probably me...)
-- B
--
In a realm outside causality and function | |
| 
stefaanE
Premium
join:2002-07-10
Luxembourg
 ·Redwood Virtual
| Excuse me, but am I the only one who feels that the exploits (at least the description provided in the Register links »www.caughq.org/exploits/CAU-EX-2008-0002.txt and »www.caughq.org/exploits/CAU-EX-2008-0003.txt are not all that impressive?
The DNS cache has to be configured to resolve addresses for all comers. Any cache configured like that deserves to be poisoned.
The real challenge is to subvert a properly configured cache, which requires access to a machine in the network the cache is serving. Granted, given the number of pwned machines there must be quite a few access providers that need to protect themselves from their customer's systems.
Anyone running their own DNS cache that does not respond to queries on port 53 from the Internet should be absolutely safe from the published exploit, randomized ports or not.
Take care,
Stefaan
--
"Technically, Windows is an 'operating system,' which means that it supplies your computer with the basic commands that it needs to suddenly, with no warning whatsoever, stop operating." -Dave Barry | |
| |
See 6 replies to this post | |
Kayrac
Premium
join:2001-09-29
Rochester, NH
| While i have absolutely 0 verification of this, i just heard from a source i trust very much, quoted
"A DNS server belonging to SBCGlobal (AT&T) is providing xx.xxx.xx.xx.x.x as an answer to www.google.com."
Like i said, no proof, but i trust where i heard it from
just figured i'd let you guys know | |
| | | |
|
Re: Exploit Code for Kaminsky DNS Bug Goes Wild