dns exploit

Sat Jul 26 06:53:46 UTC 2008

On Jul 25, 2008, at 11:43 PM, Chris Buxton wrote:
>
> On Jul 25, 2008, at 11:30 PM, Brian Keefer wrote:
>
>> I just looked at it a bit more closely...
>>
>> I'm using OpenBSD for my firewall and my nameservers.  The  
>> firewall is 3.5, the nameservers are 4.3.  The firewall is just  
>> doing standard PF nat for outbound requests.  Whether I used the  
>> doxpara tool, or dns-oarc the source ports from my recursive  
>> resolver were the same (pre-patch), but on the external interface  
>> of my firewall, the packets to doxpara did not get randomized  
>> ports, while those to dns-oarc did.  Post-patch the resolver  
>> itself has random source ports, so it's moot.

I verified that they're random on the external side of my firewall,  
in addition to simply be random coming out of my resolver on the  
internal net.

> I'm not exactly sure what you said, but I do know that if your  
> firewall or port forwarder is changing the source ports of outbound  
> queries to be something predictable, or to be all the same, then  
> you have a problem. The patch on your name server is not enough -  
> you also have to fix your firewall.
>

In English it translates close enough as:  In one set of cases my  
firewall was randomizing the ports from the original static values,  
while in another set of cases it was not randomizing them from the  
original static values.  I found this very odd.  Since applying the  
patch they're random on both sides.

> Linux iptables does not appear to change source ports.
>
> Chris Buxton
> Professional Services
> Men & Mice
>

Not by default, but people have written custom netfilter/iptables  
rules to do it.

iptables:
http://cipherdyne.org/blog/2008/07/mitigating-dns-cache-poisoning- 
attacks-with-iptables.html

PF:
http://blog.spoofed.org/2008/07/mitigating-dns-cache-poisoning-with- 
pf.html

Any way, I welcome the continued discussion as it seems like this  
will be a very long and laborious procedure to get even 80% of  
network infrastructure protected.  I spent half the day today  
tracking down servers at work that needed to be patched, and fixing  
some that had query-source-port 53; //sigh

Fortunately smart folks have pointed out forwarding requests to  
patched resolvers, or using packet filter port randomization as  
immediate work-arounds until permanent solutions can be put into place.

Brian Keefer
Sr. Systems Engineer
www.Proofpoint.com
"Defend email.  Protect data."