Date: 23 July 2008
References: AL-2008.0080
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2008.0083 -- AUSCERT ALERT
[Win][UNIX/Linux][Juniper][Cisco]
DNS cache poisoning fix may be ineffective with an intervening NAT device
23 July 2008
===========================================================================
AusCERT Alert Summary
---------------------
Product: DNS
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Juniper
Cisco
Impact: Provide Misleading Information
Access: Remote/Unauthenticated
Member content until: Wednesday, August 20 2008
Ref: AL-2008.0080
OVERVIEW
The source-port randomisation fix for the recent DNS cache
poisoning vulnerability [1] may be made ineffective by a NAT
device which does not perform source port randomisation in the
query path [2].
IMPACT
DNS software behind such a NAT device would be vulnerable to cache
poisoning as if the source-port randomisation fix had not been
applied.
DETAILS
To understand how an affected NAT device reverses the fix, we can
examine the data flow for a DNS request.
First, the patched DNS server sends out a request on a random port.
This request reaches the affected NAT device which then makes its
own request on behalf of the DNS server. The NAT device, not having
source port randomisation, sends this request from a fixed port and
a forged reply is able to be returned. The NAT device accepts this
malicious reply and then responds to the DNS server with that
information. The DNS server, thinking it has received a secure
response, accepts this information, caching valid records contained
in the malicious query response.
MITIGATION
Affected DNS servers should be set to forward to a non-vulnerable
DNS server and to stop caching. Information on how to do this with
BIND 9 can be found on ISCs "Setting up BIND to forward to patched
name server" page [3].
If a router or other NAT device is being used as a DNS server and
that device does not randomise ports the only solution is to
either upgrade the firmware on that device to a version that does
randomise ports (if available) or replace it with a device that
is not vulnerable. If possible, forwarding to a DNS resolver
outside the NAT device (and thereby bypassing it) could also solve
this problem.
To find out whether your DNS servers are vulnerable to cache
poisoning, the following commands can be used. For UNIX or Linux
users:
dig porttest.dns-oarc.net in txt
or for Windows users:
nslookup -class=in -type=txt porttest.dns-oarc.net
The result of these commands should include a line like:
[SERVER ADDRESS] is GOOD: X queries in Y seconds from Z ports...
A status of GOOD or FAIR is considered acceptable. Any other
status should be considered a failure.
REFERENCES
[1] AusCERT Alert AL-2008.0080
http://www.auscert.org.au/9546
[2] Paul Vixie's Blog - Not a Guessing Game
http://www.circleid.com/posts/87143_dns_not_a_guessing_game/
[3] ISC - BIND Forwarding
http://www.isc.org/sw/bind/docs/forwarding.php
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSIbeiCh9+71yA2DNAQIJugP/epXkPpdir0m/pVkqflKZW3lGXXq5Rikk
zwyQpC2g+xleGZ/9LLyip58VRZZKnk8cgAFflCSNuF1XcunFPZ7SbFAImayunRVJ
wSe0dSuWQTWNP6+vtwyvXuozGeAyhCRA33rrYMakDbrCBWY3+l2NGgWDckl4KclU
xi+AJaaRSNQ=
=KpXV
-----END PGP SIGNATURE-----
|