Solution For BIND 9 Vulnerability ( DNS Cache Poisioning)

Protecting your Linux box
Post Reply
dev/null

Solution For BIND 9 Vulnerability ( DNS Cache Poisioning)

Post by dev/null »

AOA
and Hi to all friends.

I am back again with another cracking solution .
BIND 9 now have Vulnerability and it will effects all major distributions ,


BACKGROUND (Old Vulnerabilities):
-----------------------------------------
Though it already were Vulnerable and that was discovered in late 2006
according to ciac.org two vulnerabilities have been discovered that affects various versions of BIND 9.

PLATFORM: BIND 9.3.0, 9.3.1, 9.3.2, 9.3.3b1, 9.3.3rc1, 9.4.0a1, 9.4.0a2, 9.4.0a4, 9.4.0a5, 9.4.0a6, 9.4.0b1

DAMAGE: If exploited, these vulnerabilities could potentially lead to a denial-of-service (DoS) condition.

For more information you can visit :
http://www.ciac.org/ciac/bulletins/q-303.shtml


Current Vulnerability (DNS Cache Poising) :
--------------------------------------------------
Discovered by Dan Kaminsky earlier this month announced a massive, multi-vendor issue with DNS that could allow attackers to compromise any name server - clients, too.



Instead of writing details on the Vulnerability i decided to write on current solution for DNS Cache Poisioning,


Fedora/CentOS Solution :
-----------------------------

Prerequisites And Assumptions :

+ Your firewall (iptables NAT/PAT or PIX) must have port 53 open in such a way that it will allow random port selection.

+ You must be running BIND 9 on Centos 4 or 5 or any Fedora core system.

+ Bind must be running in chrooted mode though not a prerequisite but a best practice.

+ In your /etc/named/named.conf OR /etc/named.conf files....One must disable recursive querying and also add an acl to only allow their networks to do recursive requests. With this, the system administrator will have reduced chances of cache poisoning down to their own known networks.

acl "mynetworks" {
127/8; 172.16.0.0/12; 10.0.0.0/8;
--------------------------------------------------------
view "internal" {
match-clients { mynetwork; };
allow-query { mynetwork; };
allow-recursion { mynetwork; };
match-recursive-only yes;
--------------------------------------------------------
view "external" {
match-clients { any; };
allow-query { any; };
allow-recursion { none; };
match-recursive-only no;
-------------------------------------------------------


To Fix The BIND Vulnerability :
-----------------------------------
The first step is for one to check if their system is vulnerable...by running the commands below replacing ns1.linux.net.pk with your organization's TLD or ccTLD.

[root@pk~] # dig +short @ns1.linux.net.pk porttest.dns-oarc.net TXT

z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"192.168.1.3 is POOR: 26 queries in 20.0 seconds from 1 ports with std dev 0.00"

POOR-----> definitely indicates that the name-server or system in question is vulnerable and of course the BIND software running is also old and needs to be PATCHED ...

SOLUTION/FIX :
------------------
For those who run CentOS OR Fedora systems.....yum can be used to patch the systems. The CentOS 5 developers have already released a patch for BIND software and the current one is: bind-9.3.4-6.0.2.P1.el5_2. P1 indicates the package is a patched one.

On my systems after patching i got this result..

[root@pk~]# rpm -q bind

bind-9.3.4-6.0.2.P1.el5_2 ----> if your bind version is not patched..then patch it.

should do this to get the latest software and patch.

[root@pk~]# yum update bind bind-chroot -y

One should edit their named.conf file and add the following. Save and reload BIND.

[root@pk~]# vi /etc/named.conf

options {
directory "/var/named";
allow-transfer {192.168.1.4 ;};
query-source address * port 53; ##COMMENT or REMOVE THIS LINE.It will allow random port selection. Only do this if this parameter is enabled under options in your named.conf file.

dnssec-enable yes; ## ADD THIS OPTION TO ENABLE DNS-SEC.

[root@pk~]# :wq
-------------------------------------------------------------------------------------
* The above line when added to your named.conf file will enable DNS-SEC. Go ahead and set up DNS-SEC

LAST STEP :
--------------

[root@pk~]# /etc/init.d/named reload

TEST YOUR PATCH/FIX :
----------------------------

[root@pk~] # dig +short @ns1.linux.net.pk porttest.dns-oarc.net TXT
[root@pk~] # z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"192.168.1.3 is GOOD: 26 queries in 19.6 seconds from 26 ports with std dev 16515.27"

GOOD indicates that the name server in question at 192.168.1.3 appears to be safe, but one must make sure the ports listed aren't following an obvious pattern. i.e the ports with standard deviation..16515.27...But if your test clocks ( 10000.00 std dev ) then your DNS server is safer and your clients or users should not worry.

Zeeshan Saeed Paracha
ISO 9001 Lead Auditor / Consultant
Uncertified Senior System Administrator
Uncertified Chief Hardware Technision
Http://Itadmin.co.cc
Http://Imdeveloper.net
Http://Cache.page.tl
CELL : 0300 - 2220083
0323 - 2483387
0333 - 3452237
x2oxen
Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad
Contact:

Post by x2oxen »

What you will say about FreeBSD?
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Post by lambda »

all operating systems that use bind are vulnerable.

fortunately, i use djbdns, and have for about eight years.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
nasacis
Battalion Havaldaar Major
Posts: 269
Joined: Sat Dec 13, 2003 3:58 pm
Location: Faisalabad
Contact:

Post by nasacis »

Read this article about cache piosioning
http://www.kb.cert.org/vuls/id/800113
Nafees Ahmed
Cell: +92.300.8653568
UAN: 041-111432432
Nexlinx Faisalabad
www.nexlinx.net.pk
nafees29@gmail.com
x2oxen
Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad
Contact:

Post by x2oxen »

Well atleast mine are save now as i have upgraded them and they successfully completed all the Vulnerability tests required.
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
nomankhn
Colonel
Posts: 714
Joined: Wed Aug 07, 2002 8:00 pm

Post by nomankhn »

x2oxen wrote:Well atleast mine are save now as i have upgraded them and they successfully completed all the Vulnerability tests required.
how?

Thanks,
Noman Liaquat
x2oxen
Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad
Contact:

Post by x2oxen »

This is quite old now. You asking late.. Update your server box. A lot of patches are available for this now. For which distro you want to do it?
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
Post Reply