[YLUG] Kaminsky dns vulnerability - checking
mike cloaked
mike.cloaked at gmail.com
Fri Aug 1 09:45:31 BST 2008
A few weeks ago there was a co-ordinated public announcement of
patches available on all major operating systems to fix the dns
poisoning vulnerability identified by Kaminsky a few months ago that
could have had a major impact on network security across the internet.
(dns cache poisoning could lead users to hackers websites instead of
the real sites! This could have proved very costly where bank sites
were involved for example)
Since then there has been a significant rise in the number of properly
patched systems/servers across the world, though currently there is
still a significant fraction of unpatched servers across the world.
Some ISPs have still not implemented the patches and you can check
your own systems/isp by going to the web page at:
https://www.dns-oarc.net/oarc/services/dnsentropy
and clicking on "Test my DNS"
>From a terminal shell you can do:
dig +short porttest.dns-oarc.net TXT
(You can also add @my-dns-server before the +short part to point the
request at a specific dns server, such as your own machine if you run
"named" on it for example)
Either way you should get a high score such as "GREAT" on both "Source
Port Randomness" and "Transaction ID Randomness" tests - if so then
you are not vulnerable to DNS poisoning attacks. If you get a "POOR"
score then you need to apply dns patches asap.
In the past few days there have been log entries on servers in various
places indicating that an increasing number of dns poisoning attempts
are now taking place in the wild (presumably from automated scripts
from the bad boys!) - and it is particularly important that the number
of protected systems reaches a high percentage as soon as possible.
If you have a current Linux distro and it is fully up to date then you
should already have the patch in place (for bind9). I had a machine
running an EOLed distro (FC7) for reasons that make it difficult to
upgrade at present and I now have a recipe for back-porting the dns
patch from the Fedora 9 updated bind rpm. On Fedora all systems
earlier than F8 no longer have updates available. My brother had two
servers still running FC6 and he used the same method to pack port the
patches to his machine - it works nicely and if anyone needs a copy of
this recipe just post on this list and I will put the recipe in as a
posting. (Essentially it does an rpm rebuild of the bind/bind-chroot
and related rpms which can then simply be locally installed as
updates.)
Others on this list may know what the situation is regarding Ubuntu
and early versions?
If you run the tests at the top of this post and find your ISP (or
your own machine) is not yet patched then it would be worthwhile
contacting them (or you!) to persuade them to update their dns
servers. The web based test will run on Windows boxes of course - and
Microsoft made the patch announcement for XP/Vista on the same day as
the Linux and MAC announcements.
Hope this helps at least some people...
--
mike
More information about the York
mailing list