AOA
and Hi to all friends.
I am back again with another cracking solution .
BIND 9 now have Vulnerability and it will effects all major distributions ,
BACKGROUND (Old Vulnerabilities):
-----------------------------------------
Though it already were Vulnerable and that was discovered in late 2006
according to ciac.org two vulnerabilities have been discovered that affects various versions of BIND 9.
PLATFORM: BIND 9.3.0, 9.3.1, 9.3.2, 9.3.3b1, 9.3.3rc1, 9.4.0a1, 9.4.0a2, 9.4.0a4, 9.4.0a5, 9.4.0a6, 9.4.0b1
DAMAGE: If exploited, these vulnerabilities could potentially lead to a denial-of-service (DoS) condition.
For more information you can visit :
http://www.ciac.org/ciac/bulletins/q-303.shtml
Current Vulnerability (DNS Cache Poising) :
--------------------------------------------------
Discovered by Dan Kaminsky earlier this month announced a massive, multi-vendor issue with DNS that could allow attackers to compromise any name server - clients, too.
Instead of writing details on the Vulnerability i decided to write on current solution for DNS Cache Poisioning,
Fedora/CentOS Solution :
-----------------------------
Prerequisites And Assumptions :
+ Your firewall (iptables NAT/PAT or PIX) must have port 53 open in such a way that it will allow random port selection.
+ You must be running BIND 9 on Centos 4 or 5 or any Fedora core system.
+ Bind must be running in chrooted mode though not a prerequisite but a best practice.
+ In your /etc/named/named.conf OR /etc/named.conf files....One must disable recursive querying and also add an acl to only allow their networks to do recursive requests. With this, the system administrator will have reduced chances of cache poisoning down to their own known networks.
acl "mynetworks" {
127/8; 172.16.0.0/12; 10.0.0.0/8;
--------------------------------------------------------
view "internal" {
match-clients { mynetwork; };
allow-query { mynetwork; };
allow-recursion { mynetwork; };
match-recursive-only yes;
--------------------------------------------------------
view "external" {
match-clients { any; };
allow-query { any; };
allow-recursion { none; };
match-recursive-only no;
-------------------------------------------------------
To Fix The BIND Vulnerability :
-----------------------------------
The first step is for one to check if their system is vulnerable...by running the commands below replacing ns1.linux.net.pk with your organization's TLD or ccTLD.
[root@pk~] # dig +short @ns1.linux.net.pk porttest.dns-oarc.net TXT
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"192.168.1.3 is POOR: 26 queries in 20.0 seconds from 1 ports with std dev 0.00"
POOR-----> definitely indicates that the name-server or system in question is vulnerable and of course the BIND software running is also old and needs to be PATCHED ...
SOLUTION/FIX :
------------------
For those who run CentOS OR Fedora systems.....yum can be used to patch the systems. The CentOS 5 developers have already released a patch for BIND software and the current one is: bind-9.3.4-6.0.2.P1.el5_2. P1 indicates the package is a patched one.
On my systems after patching i got this result..
[root@pk~]# rpm -q bind
bind-9.3.4-6.0.2.P1.el5_2 ----> if your bind version is not patched..then patch it.
should do this to get the latest software and patch.
[root@pk~]# yum update bind bind-chroot -y
One should edit their named.conf file and add the following. Save and reload BIND.
[root@pk~]# vi /etc/named.conf
options {
directory "/var/named";
allow-transfer {192.168.1.4 ;};
query-source address * port 53; ##COMMENT or REMOVE THIS LINE.It will allow random port selection. Only do this if this parameter is enabled under options in your named.conf file.
dnssec-enable yes; ## ADD THIS OPTION TO ENABLE DNS-SEC.
[root@pk~]# :wq
-------------------------------------------------------------------------------------
* The above line when added to your named.conf file will enable DNS-SEC. Go ahead and set up DNS-SEC
LAST STEP :
--------------
[root@pk~]# /etc/init.d/named reload
TEST YOUR PATCH/FIX :
----------------------------
[root@pk~] # dig +short @ns1.linux.net.pk porttest.dns-oarc.net TXT
[root@pk~] # z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"192.168.1.3 is GOOD: 26 queries in 19.6 seconds from 26 ports with std dev 16515.27"
GOOD indicates that the name server in question at 192.168.1.3 appears to be safe, but one must make sure the ports listed aren't following an obvious pattern. i.e the ports with standard deviation..16515.27...But if your test clocks ( 10000.00 std dev ) then your DNS server is safer and your clients or users should not worry.
Zeeshan Saeed Paracha
ISO 9001 Lead Auditor / Consultant
Uncertified Senior System Administrator
Uncertified Chief Hardware Technision
Http://Itadmin.co.cc
Http://Imdeveloper.net
Http://Cache.page.tl
CELL : 0300 - 2220083
0323 - 2483387
0333 - 3452237
Solution For BIND 9 Vulnerability ( DNS Cache Poisioning)
all operating systems that use bind are vulnerable.
fortunately, i use djbdns, and have for about eight years.
fortunately, i use djbdns, and have for about eight years.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
-
- Battalion Havaldaar Major
- Posts: 269
- Joined: Sat Dec 13, 2003 3:58 pm
- Location: Faisalabad
- Contact:
Read this article about cache piosioning
http://www.kb.cert.org/vuls/id/800113
http://www.kb.cert.org/vuls/id/800113
Nafees Ahmed
Cell: +92.300.8653568
UAN: 041-111432432
Nexlinx Faisalabad
www.nexlinx.net.pk
nafees29@gmail.com
Cell: +92.300.8653568
UAN: 041-111432432
Nexlinx Faisalabad
www.nexlinx.net.pk
nafees29@gmail.com