Trusted Source? DNS Cache Poisoning
Posted by
Brad Wood
Aug 07, 2008 04:09:00 UTC
So, I assume you've heard the latest buzz about DNS Cache Poisoning and the subsequently released patches. It's rather interesting, and a bit unnerving that the "patch" for now simply makes the exploit harder to pull off-- not impossible. I guess that's basically because the patch simply makes name server requests more randomized. Anything more would require an overhaul to the DNS protocol itself.I won't purport to be a DNS expert because I'm not one. In fact, I don't even run my own DNS server-- I let GoDaddy control the DNS for my domains names and my home PCs simply refer to my ISP's DNS servers for domain name lookups. I hope they are patched up. Actually according to some online tests I ran, they are. Feel free to correct my explanations if I am off.
Apparently the exploit goes something like this: You type in www.google.com in your browser. Your OS checks your hosts file and if nothing is there, it performs a query to your DNS server asking, "What IP address hosts www.google.com?" You might get bounced around the 'Net for a while before you get an answer, but chances are you'll get a cached answer back before you reach a root server or an authoritative name server.
The entire Internet operates on a fairly stateless request/response model. From my understanding, your request for a DNS lookup involves a 16-bit transaction id (65,536 possible combinations) and a source port (once again, 65,536 possible ports, though several hundred are reserved for other services). If a hacker knows that server A is sending a DNS request to server B, they can send their own (malicious) response back from server C. IF the hacker can beat server A's response, AND guess the correct transaction id, AND guess the correct source port, their answer will be used as an authoritative response and cached for everyone down stream. Thus, the "cache is poisoned".
It seems that, a lot of DNS servers tend to use the same port and a predictable transaction id which can make it pretty easy to forge a reply that will be accepted. The payload is you type in www.google.com , but the IP address it resolves to sends you to a malicious server that serves up the evilest web page of doom you can imagine. (I think a boxing glove might actually come out of your computer screen and pummel you.)
The DNS patches being distributed around basically appear to get DNS servers to use uber-random ports and transaction ids which make it incredibly hard to guess and spoof a response. Unless you are a network admin or an ISP and run your own DNS server you don't need to do anything. Of course, you can test your DNS server to ensure its randomness.
Obviously the DNS protocol wasn't designed with security in mind. I assume this was for the same reason people in small towns don't lock their doors. Why would anyone want to break in here? Plug yourself into the Internet, and you might as well be walking down a dark inner-city alley. Haven't patched your DNS servers? Well, now you've got 20 dollar bills hanging out of your pockets. :)
Knobee
DNSSEC is not an "overhaul" as an addition of digital signatures and the validation there-of.
It's not really all that difficult to deploy, but with the combined work required and the lack of interest (because DNS used to be pretty safe, right?), there has not been enough traction.
Maybe now there will be.
Brad Wood
@Knobee: Hopefully this will add some traction. Some things never change until the security threat is knocking at the door. The recent SQL injection attacks are a prime example of that.