Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Patch DNS Servers Faster

kdawson posted about 6 years ago | from the hard-times-coming dept.

Security 145

51mon writes "Austrian CERT used data from one of their authoritative DNS server to measure the rate at which the latest DNS patch (source port randomization) is being rolled out to larger recursive name servers. While about half the traffic (PDF) they receive is now using source port randomization, their data suggest that this is due to ISPs who roll out such fixes immediately. The rate of patching has fallen to disappointingly low levels since. If your ISP isn't patched, perhaps it is time to switch." After details of the DNS vulnerability leaked, researchers |)ruid and HD Moore released attack code; ZDNet's security blog has an analysis.

cancel ×

145 comments

Sorry! There are no comments related to the filter you selected.

Switch DNS Servers, NOT ISPs (5, Insightful)

masdog (794316) | about 6 years ago | (#24335001)

You don't need to switch to a new ISP if they haven't patched yet - just switch to a new DNS server such as OpenDNS.

Re:Switch DNS Servers, NOT ISPs (1)

martin_henry (1032656) | about 6 years ago | (#24335069)

How would one potentially do something like this? Is it a setting inside the modem or router's firmware?

Re:Switch DNS Servers, NOT ISPs (2, Informative)

Jellybob (597204) | about 6 years ago | (#24335137)

It'll either be a setting on your router, or if your directly connected to the modem, you'll need to change it on the network settings on your computer.

Re:Switch DNS Servers, NOT ISPs (5, Informative)

masdog (794316) | about 6 years ago | (#24335205)

You can change this in your DHCP or IP configuration settings on your home router or PC. On my home network, for instance, my DD-WRT router isn't running a DNS server on it, and the DHCP static DNS settings are set for my Server 2008 box and the two OpenDNS resolvers. My Server 2008 box also has its forwarders set to OpenDNS.

That's probably more complicated than it needs to be, but better safe than sorry.

On Windows XP, 2000, and I think Vista, you can tell Windows to ignore the DNS server settings provided by DHCP by going into the IP properties for the connection and hard coding in the IP addresses under Local Area Connection Properties > Internet Protocol Properties > Use the Following DNS Server Addresses.

This can also be done under linux, but I don't know the particular commands for it.

Re:Switch DNS Servers, NOT ISPs (1)

Takumi2501 (728347) | about 6 years ago | (#24335365)

This can also be done under linux, but I don't know the particular commands for it.

I imagine it would vary somewhat between distros, but netconfig (requires root) seems to be pretty much the standard way of doing it.

Re:Switch DNS Servers, NOT ISPs (2, Informative)

gunnk (463227) | about 6 years ago | (#24335611)

In Ubuntu, the network icon in the upper-right corner of your screen will take you to your network settings. You can change the DNS servers there.

I put OpenDNS right in my router configuration so it applies to my whole house. The other big benefit is that I block doubleclick whose ads always seem to make pages so slow to load. You also get some scam and phishing protection.

Re:Switch DNS Servers, NOT ISPs (2, Informative)

DavidSev (1108917) | about 6 years ago | (#24335961)

I have no idea what netconfig is meant to do, but it doesn't exist on my computer. /etc/resolv.conf is the standard way of doing it.

Re:Switch DNS Servers, NOT ISPs (4, Informative)

eln (21727) | about 6 years ago | (#24336523)

resolv.conf will be written over by DHCP unless you set PEERDNS=no in the /etc/sysconfig/network-scripts/ifcfg-ethX file.

Re:Switch DNS Servers, NOT ISPs (1)

znerk (1162519) | about 6 years ago | (#24337613)

resolv.conf will be written over by DHCP unless you set PEERDNS=no in the /etc/sysconfig/network-scripts/ifcfg-ethX file.

... or unless you're using a static address, or removing write access to /etc/resolv.conf (chmod, anyone?)

Re:Switch DNS Servers, NOT ISPs (5, Interesting)

Anonymous Coward | about 6 years ago | (#24335519)

I had been using OpenDNS. I stopped when I realized they were monitoring my traffic. When I go to Google, they were returning their own Google-like page, to which my browser would submit the query, and then redirect me to Google.

I stopped using them after that discovery.

Re:Switch DNS Servers, NOT ISPs (1, Informative)

Anonymous Coward | about 6 years ago | (#24335999)

I had been using OpenDNS. I stopped when I realized they were monitoring my traffic. When I go to Google, they were returning their own Google-like page, to which my browser would submit the query, and then redirect me to Google.

They claim they're doing this for your own good, or for the good of Dell users at least, to stop some Google / Dell conspiracy. Details [opendns.com] .

Wrong url or Viurs. (1)

Krneki (1192201) | about 6 years ago | (#24337035)

If you get your queries redirected you either have a virus or you have mistyped Google.

Re:Wrong url or Viurs. (1)

bigstrat2003 (1058574) | about 6 years ago | (#24337131)

No. OpenDNS does actually do this. You can turn it off by making an account, however. I despise it, but don't know of a better choice, since my ISP pulls the same bullshit, with no option to turn it off.

Re:Switch DNS Servers, NOT ISPs (0)

Anonymous Coward | about 6 years ago | (#24335785)

vi /etc/resolv.conf

Re:Switch DNS Servers, NOT ISPs (0)

Anonymous Coward | about 6 years ago | (#24336929)

That only changes your settings until the next time you DHCP release/renew.

RTFM (0, Funny)

Anonymous Coward | about 6 years ago | (#24335449)

How would one potentially do something like this? Is it a setting inside the modem or router's firmware?

It's a setting found when you RTFM!!. Try Google, in fact I recommend also visiting this site http://www.justfuckinggoogleit.com/ [justfuckinggoogleit.com] . Yes that's a real site, it's safe to visit, and it's very funny although somehow you yourself might not think so.

So yes, for common knowledge that is easily looked up via Google, remember that RTFM stands for READ THE FUCKING MANUAL and Google is a great method of fulfilling "manual". Thank you.

Re:Switch DNS Servers, NOT ISPs (0)

Anonymous Coward | about 6 years ago | (#24335101)

Is it possible to, say, use two or more DNS servers and see if they concur on the address of a host?

Re:Switch DNS Servers, NOT ISPs (0, Redundant)

courteaudotbiz (1191083) | about 6 years ago | (#24335185)

Round robin, forged sites... All this can fool you into thinking you're at the right place...

Re:Switch DNS Servers, NOT ISPs (3, Interesting)

A beautiful mind (821714) | about 6 years ago | (#24335231)

I digress. If an ISP didn't patch yet, it means they are incompetent. When the Debian SSL vulnerability was discovered, I sent two emails out, one to my server hosting company and one to my phone company. The server hosting company replaced their ssl cert within a day, the phone company took 4 months, meanwhile their online user gateway was open to sniffing.

I ditched the phone company when my email didn't get a reply in a week.

Re:Switch DNS Servers, NOT ISPs (0, Offtopic)

Anonymous Coward | about 6 years ago | (#24335491)

I digress.

That word is not just some fancy spelling of "disagree." To digress means you're going off-topic.

Re:Switch DNS Servers, NOT ISPs (1)

A beautiful mind (821714) | about 6 years ago | (#24335565)

Yeah, I should have previewed. My english is still more cromulant than some people's though ;-)

Re:Switch DNS Servers, NOT ISPs (1)

Darkk (1296127) | about 6 years ago | (#24337123)

Problem with certs and anything that impacts their servers aren't quick to apply the patch no matter how critical it is. The patches have to be tested, re-tested and tested again to be sure it won't have a adverse impact on their service to the customers.

Some are quick to apply the patches in a day while others will take weeks or even months depending on the size of their infrastructure and size of the staff to test the patches.

Switching phone companies is your choice but I think they wanted to make sure the patch would work normally for most of their customers. There is no such thing is 100% reliability of anything, it doesn't exist.

Re:Switch DNS Servers, NOT ISPs (1)

A beautiful mind (821714) | about 6 years ago | (#24337219)

It was an ssl cert, not a patch they had to exchange. Their ssl cert was compromised for months. Unacceptable.

Re:Switch DNS Servers, NOT ISPs (1)

Chatterton (228704) | about 6 years ago | (#24337729)

And their ssl certificates are used between computers that need to communicate each others. If one doesn't get the update that the other has changed of certificate you can go in the wall. And If you have hundred, thousands of such computers that need to talk to each other, you can imagine the nightmare.

DNS became slower (2, Interesting)

sucker_muts (776572) | about 6 years ago | (#24335329)

Here in Belgium, I use Scarlet as my ISP.

It seems that dns queries have become much slower. With opera I can see what urls are being requested (main page, images/flash or ads).I can see that for every new page the first thing opera does is doing the dns queries for all the urls. And this has become very slow from time to time.

I've read somewhere that the randomization really slows down bind, but that the team is working on a patch to solve that.
(I also don't understand why opera need to execute dns queries every time I click a link, why can't opera have a tiny cache for the ip addresses? They don't chance that often, do they? I'm not very paranoid about the security implication, either.)

Re:DNS became slower (2, Interesting)

Lennie (16154) | about 6 years ago | (#24336051)

If it has become slower, they are probably using bind9, because it's quick fix. After they've known for 6 months, all they could release was a quick fix. Even though the author/organsation that created/maintainces bind knew about possible problems somewhere in the preview century. I'm sorry, but I've stopped using their software as much as possible.

Re:Switch DNS Servers, NOT ISPs (1)

Atari400 (1174925) | about 6 years ago | (#24335379)

You might want to investigate https://www.opendns.com/start [opendns.com] for what you actually need to do. I use OpenDNS when I am not running in 'tor' mode.

Re:Switch DNS Servers, NOT ISPs (5, Interesting)

Woy (606550) | about 6 years ago | (#24335731)

I used OpenDNS and gave it up because it replaced firefox's feature to search google with what you type on the address bar with its own crappy search.

Re:Switch DNS Servers, NOT ISPs (0)

Anonymous Coward | about 6 years ago | (#24336021)

There is now a way to shut off this feature. You can once again search from firefox's address bar using google.

Re:Switch DNS Servers, NOT ISPs (1)

nabsltd (1313397) | about 6 years ago | (#24336145)

You can fix this by changing the setting for keyword.URL [mozillazine.org] in about:config back to a Google search.

Error 404: Page not found. (0, Redundant)

Krneki (1192201) | about 6 years ago | (#24337083)

"404 error: File not found" is more useful then the OpenDNS search result page?

Re:Error 404: Page not found. (2, Informative)

deraj123 (1225722) | about 6 years ago | (#24338885)

First, it's not a 404. A 404 is a http server response that says I don't have the resource you're requesting.

OpenDNS however, hijacks the DNS protocol when you attempt to lookup the address for a server. And so yes, a dns response that says that no addresses are found is more useful than a fake address that, if you connect using http, will provide an html response with search results on it. Note that this breaks any other use of DNS where you now connect to the server and get garbage rather than simply being told that the server address doesn't map to an IP address. If I wanted to do a search, I would do a search.

That being said, you can turn off all of the "enhancement" options in OpenDNS, and it works great as a DNS server.

Re:Error 404: Page not found. (2, Informative)

drinkypoo (153816) | about 6 years ago | (#24339097)

"404 error: File not found" is more useful then the OpenDNS search result page?

Yes, yes it is. Because many, many things depend on getting a proper 404 error, like all those http-download automatic updates for example.

Of course, it's not the 404 error that's missing. It's a name resolution failure. This is also very important. You need to know when a domain has gone missing, and it needs to be available in an automated fashion. The proper, per-specification behavior is to return NXDOMAIN when there is no domain found, not to return a bullshit, erroneous result.

This WOULD be LESS offensive if all internet traffic were HTTP, but it is not. If you make a request to a time server and the FQDN doesn't resolve, you're not supposed to get the address to your ISP's webserver instead. So even if they serve a 404 error with their search content which would satisfy web clients, they'd still be hosing every other application on the internet.

So, are you trolling, or just utterly unqualified to have this conversation

Re:Switch DNS Servers, NOT ISPs (5, Informative)

Ciarang (967337) | about 6 years ago | (#24335773)

It always surprises me how much love there seems to be for OpenDNS on /.

A DNS server returns you a result, or tells you that it can't resolve the domain. Instead of doing the latter, OpenDNS redirects you somewhere you didn't intend to go and attempts to hit you with some advertising. That seems more like typosquatting to me, although admittedly it's with your permission.

Re:Switch DNS Servers, NOT ISPs (1)

masdog (794316) | about 6 years ago | (#24335839)

And how is that different than what your ISP does on a daily basis?

Re:Switch DNS Servers, NOT ISPs (2, Insightful)

Ciarang (967337) | about 6 years ago | (#24336161)

It's completely different, otherwise they wouldn't be my ISP.

Re:Switch DNS Servers, NOT ISPs (1)

thePowerOfGrayskull (905905) | about 6 years ago | (#24336383)

My ISP returns the appropriate result indicating host not found, when host is not found...

OpenDNS is not the best answer (2, Insightful)

rfunk (765049) | about 6 years ago | (#24335899)

OpenDNS returns their own search page for bad lookups, rather than NXDOMAIN, breaking various things. They also send queries for www.google.com to their own server. (I wrote about this recently.) [livejournal.com]

Re:OpenDNS is not the best answer (1)

appelsap (845571) | about 6 years ago | (#24337449)

Only since recently, but it's now possible to completely disable all of OpenDNS' bad behaviour. (You have to register, create a network, go to advanced settings, and disable the proxy/shortcuts/typo correction settings). The google proxy 'feature' has been invisible and impossible to turn off for over a year though, pretty nasty behaviour since only a very small part of their users would actually need it.

Re:Switch DNS Servers, NOT ISPs (1)

ACMENEWSLLC (940904) | about 6 years ago | (#24337163)

>>You don't need to switch to a new ISP if they haven't patched yet - just switch to a new DNS server such as OpenDNS.

Is this really true?

From what I gather this doesn't solve the problem, just makes it a little more difficult. Correct me if my understanding is wrong.

Your router still uses default of 53 -> OpenDns -> public on random port.

UDP

You still listen on 53, so the hacker can spoof the response as though it's from OpenDNS's two IP's and send that straight to your router on port 53.

Am I wrong?

Re:Switch DNS Servers, NOT ISPs (1)

hesaigo999ca (786966) | about 6 years ago | (#24338233)

The problem with this is that not only are they going to be backlogged, they may not be close enough to avoid a lot of hopping around. So yes it is a temp fix, but not a good one...the best would be to patch them immediately

Re:Switch DNS Servers, NOT ISPs (2, Informative)

maztuhblastah (745586) | about 6 years ago | (#24338521)

You don't need to switch to a new ISP if they haven't patched yet - just switch to a new DNS server such as OpenDNS.

Please don't do that.

I don't think OpenDNS is a terribly good idea, and here's why:

They actively screw with the records and return incorrect information. Now you can argue that they do it for "OK" reasons, and indeed, OpenDNS does exactly this in their marketing materials, but the fact remains: they answer some queries with information that is in conflict with the authoritative nameservers.

Personally, I don't trust any DNS provider that does this, and I don't think it's a good idea for anyone to do so.

Use 4.2.2.1 - 4.2.2.6. They're fast, free, don't mess with records (such as altering NXDOMAIN), and are anycast to local servers, so response times are minimal.

Am I safe? (1, Insightful)

Anonymous Coward | about 6 years ago | (#24335057)

How can I know if my ISP has patched its DNS servers?

Re:Am I safe? (0, Offtopic)

martin_henry (1032656) | about 6 years ago | (#24335099)

Does your ISP end in ...omcast? then it probably hasn't

Re:Am I safe? (5, Informative)

masdog (794316) | about 6 years ago | (#24335251)

Re:Am I safe? (1, Insightful)

Anonymous Coward | about 6 years ago | (#24335951)

Thanks!!!! My DNS is safe. I know this to be true cause I used your dns checker....

Re:Am I safe? (0)

Anonymous Coward | about 6 years ago | (#24336105)

I just found out the DNS server my company uses isn't patched. I'm not an administrator on my machine, so it appears I'm SOL.

Re:Am I safe? (1)

Briden (1003105) | about 6 years ago | (#24337229)

I tested myself.. not safe. My home router is a linksys. but linksys isn't listed in the vendors. hmm, i guess that means they simply haven't patched it yet? doesn't cisco own linksys? maybe i should talk to cisco.

Re:Am I safe? (2, Informative)

MankyD (567984) | about 6 years ago | (#24335291)

http://www.doxpara.com/ [doxpara.com] They have a dns checker on the right hand side. This is linked from the original /. article on this topic.

Re:Am I safe? (1, Informative)

Anonymous Coward | about 6 years ago | (#24335307)

Re:Am I safe? (3, Informative)

Nos. (179609) | about 6 years ago | (#24335421)

There's a couple issues with the one Dan created. First, its slashdotted. Secondly, some ISPs don't allow querying from just anywhere, only from its own customers (IPs). Here's a test you can run from any machine with dig on it:
https://www.dns-oarc.net/oarc/services/porttest [dns-oarc.net]

Re:Am I safe? (4, Informative)

Lennie (16154) | about 6 years ago | (#24335569)

dig +short porttest.dns-oarc.net TXT

Re:Am I safe? (0)

Anonymous Coward | about 6 years ago | (#24336899)

OK, so what do I do with the output? It didn't say "you (are|are not) safe".

Re:Am I safe? (1)

lukas84 (912874) | about 6 years ago | (#24339055)

Rerun the query until you get results.

Monopoly (5, Insightful)

Anonymous Coward | about 6 years ago | (#24335095)

If your ISP isn't patched, perhaps it is time to switch.

My ISP has a monopoly over internet services in my area you insensitive clod.

Re:Monopoly (2, Funny)

martin_henry (1032656) | about 6 years ago | (#24335121)

Clearly your only option is to just unplug & turn in your geek card. Sorry.

Re:Monopoly (1)

geminidomino (614729) | about 6 years ago | (#24336943)

Run your own then.

It must suck to be gnu.org! (1, Funny)

Anonymous Coward | about 6 years ago | (#24335103)

Fortunately my domain name is not recursive therefore I am safe.

Re:It must suck to be gnu.org! (1)

totally bogus dude (1040246) | about 6 years ago | (#24337095)

Hey, that actually was pretty funny. Well done!

Don't we? (1)

courteaudotbiz (1191083) | about 6 years ago | (#24335139)

Don't we already all have our own patched DNS servers at home?

Re:Don't we? (1)

Lennie (16154) | about 6 years ago | (#24335603)

Don't trust them if yours is behind a simple DSL-router with NAT. The NAT may defeat any randomisation you might have.

how do I check? (-1, Redundant)

Anonymous Coward | about 6 years ago | (#24335153)

Is there a way for me to check if my isp patched?

Re:how do I check? (2, Informative)

A beautiful mind (821714) | about 6 years ago | (#24335277)

Click here. [doxpara.com]

Re:how do I check? (2, Informative)

masdog (794316) | about 6 years ago | (#24335293)

Re:how do I check? (1)

ChienAndalu (1293930) | about 6 years ago | (#24335801)

You should probably use http://66.240.226.139 [66.240.226.139] if you're not sure.
... or should you?

Re:how do I check? (1)

ChienAndalu (1293930) | about 6 years ago | (#24335919)

damn, it's www.doxpara.com, and it resolves to 157.22.245.20. But I can't directly access it with that IP address.

Re:how do I check? (1)

Lennie (16154) | about 6 years ago | (#24336097)

Easiest is to temporarily put it in /etc/hosts.

time to switch? (3, Insightful)

Dunbal (464142) | about 6 years ago | (#24335309)

If your ISP isn't patched, perhaps it is time to switch.

      Thanks to the "free market economy" in my capitalist country I can't switch, you insensitive clod!

Re:time to switch? (1)

courteaudotbiz (1191083) | about 6 years ago | (#24335763)

At first, you were probably free to choose between a 1 year contract for x$ per month, and no contract for x$+10$ per month. Yes, it's capitalist, but you were free at first, and you have told yourself "nah, I'm not gonna pay 120$ more for the year just in case I'd like to change ISP..."

Re:time to switch? (1)

Shados (741919) | about 6 years ago | (#24336585)

No. For many people its more a choice between "Evil ISP XYZ, and Pigeon over IP and/or dial up".

That said, my ISP enrolled me in a "contract" without ever once mentionning it. (It -is- optional, and I never said I wanted it when I subscribed, and I didn't sign anything, but my bill states that I picked the contract option). Kind of amusing.

I'm not saying anything now because it is cheaper, I don't care even if I -was- on contract, and they wouldn't last very long in court if I ever changed my mind, but...

AT&T Southeast way behind the curve (3, Interesting)

BDaniels (13031) | about 6 years ago | (#24335331)

We use AT&T (formerly Bellsouth) and their servers are not fixed according to the 'dig +short porttest.dns-oarc.net TXT' test.
I contacted their NOC about the problem yesterday and got the following reply:

"Patching for these servers are scheduled to begin next week."

So, major vulnerability, two weeks advance notice, exploit code released - we'll get around to it later.

Re:AT&T Southeast way behind the curve (1)

MadMidnightBomber (894759) | about 6 years ago | (#24337881)

"Patching for these servers are scheduled to begin next week."

Or immediately after att.com starts resolving to the IP of goatse.cx ?

Time to switch? (1)

Taibhsear (1286214) | about 6 years ago | (#24335429)

If your ISP isn't patched, perhaps it is time to switch.

To whom, exactly?
Sincerely,
A US ISP customer.

Re:Time to switch? (1)

Nos. (179609) | about 6 years ago | (#24335457)

Luckily, you can just switch your DNS servers to something like OpenDNS.

Randomization is not always needed (0)

Anonymous Coward | about 6 years ago | (#24335489)

Note that some DNS servers do not trust DNS glue in such a way that they need source port randomization for recursive lookups.

I know of at least one DNS server implementation that only trusts glue from root server responses and only the first delegation, and only for domains specifically and exactly queried for.

ISP DNS (1, Insightful)

spottedkangaroo (451692) | about 6 years ago | (#24335583)

Who uses their ISPs DNS servers? Most people probably. Well, I don't trust them. My friends and I run a recursing nameserver that we access over a VPN link.

ISPs just aren't trustworthy.

Oops. (5, Funny)

Chameleon Man (1304729) | about 6 years ago | (#24335679)

I tried to RTFA, but upon clicking the link I was directed to a porn site.

Confused... (0)

Anonymous Coward | about 6 years ago | (#24336629)

and, how is this a problem?

Re:Confused... (1)

janrinok (846318) | about 6 years ago | (#24336977)

Oh, it's not a problem, he just thought that you might want to switch to his DNS so that you can also enjoy the benefits of the intertube thingy.

Re:Oops. (1)

otmar (32000) | about 6 years ago | (#24338107)

For once, I can check how many people have really RTFA (or at least fetched the .pdf). :-)

I really didn't expect we'd make slashdot with that report. Well, any exposure help to get people to patch.

Re:Oops. (0)

Anonymous Coward | about 6 years ago | (#24338123)

I tried to RTFA

you must be new here.

me? i've been here since the day the site went up.

Easier Said Than Done (5, Interesting)

foo fighter (151863) | about 6 years ago | (#24335715)

These kind of systems are really hard for security guys to get changed.

It's like updating switch and routing firmware. Most network engineers who know what they're doing and that have been around for awhile have been burned by "simple" or "easy" patches and config changes going tits up.

When your core network infrastructure goes tits up your phone tends to light up like a christmas tree. (Granted, when your web presence is redirected to porn or a copy that hides an iframe exploiting customers with unpatched browsers, well, you'll maybe get some phone calls.)

This DNS patch is a case-in-point: Microsoft's fix is rather ham-fisted and broke stuff; the BIND-Users list is full of people troubleshooting ISC's patch.

Also, many organizations (like mine) are taking this as an opportunity to reengineer their DNS architecture. This is the perfect time to reevaluate using TSIG and DNSSEC if you don't already.

It has only been just over two weeks since the initial "announcement". The progress so far is really amazing when you consider how big a ship the Internet is.

Re:Easier Said Than Done (2, Informative)

Lennie (16154) | about 6 years ago | (#24336175)

It's a perfect time to start using PowerDNS, djbdns or Unbound/NSD as well. :-)

Re:Easier Said Than Done (2, Funny)

prandal (87280) | about 6 years ago | (#24337259)

When your core network infrastructure goes tits up your phone tends to light up like a christmas tree.

Not if it is an IP phone!

Rediculious requirements (4, Insightful)

Coolhand2120 (1001761) | about 6 years ago | (#24335833)

Maybe if the patch didn't require that open up all incoming and outgoing UDP ports [securitytracker.com] on the DNS interface I could implement it faster. Seeing how most people use firewalls it makes it really quite a bit more difficult than just "apply the patch".

NOTE WELL: This update causes BIND to choose a new, random UDP port for each new query; this may cause problems for some network configurations, particularly if firewall(s) block incoming UDP packets on particular ports.

I'll get this patch applied as soon as I reconfigure my entire network topology.

Re:Rediculious requirements (4, Informative)

billcopc (196330) | about 6 years ago | (#24336149)

You can restrict it to a port range... even giving it access to 2048 ports gives you 2^11 randomness, which is still better than 2^0.

The issue I'm facing, which I find terribly frustrating, is in upgrading older distros. I'm now looking at completely reinstalling a bunch of older BSD servers just to get this idiotic vulnerability resolved, because the maintainers aren't backporting the patch and upgrading BIND itself would be a royal pain. Given how DNS servers tend to run unattended for eons, I suspect this near-sightedness is respnosible to a large degree for the slow patching. It's not that I don't want to patch my servers, it's that I now have to waste a day at the colo doing physical reinstalls. If it weren't for that hitch, I'd be done already!

Re:Rediculious requirements (1)

JustShootThemAll (1284898) | about 6 years ago | (#24336661)

1. rsync your colo'd server os partition to your in-house test server;
2. patch your test server;
3. rsync your test server to your colo'd server.
4. profit? ;-)

As your in-house test server should be more-or-less the same as your deployed server the rsync's should take too long.

Beats babysitting your server in a cold and dark datacenter.

Re:Rediculious requirements (1)

Fweeky (41046) | about 6 years ago | (#24338549)

I'm now looking at completely reinstalling a bunch of older BSD servers just to get this idiotic vulnerability resolved, because the maintainers aren't backporting the patch and upgrading BIND itself would be a royal pain

I recently upgraded a bunch of FreeBSD boxes I didn't want to rebuild world on:

portinstall dns/bind95 && (cat >>/etc/rc.conf <<EOC
named_program="/usr/local/sbin/named"
named_flags="/etc/namedb/named.conf"
EOC
) && /etc/rc.d/named restart

You can configure the port to replace the base bind too, but this is easier to roll back in event of problems. Presumably the situations similar for the other BSD's.

Re:Rediculious requirements (1)

Fweeky (41046) | about 6 years ago | (#24338597)

Er, that's named_flags="-c /etc/namedb/named.conf", of course.

Re:Rediculious requirements (0)

Anonymous Coward | about 6 years ago | (#24336347)

Don't forget that you cannot NAT it either, except for 1:1 NAT where the NAT box doesn't screw up with the source port, OR if your NAT box has a security-minded source-port randomization feature (in which case you don't even need to patch BIND).

Not really (1)

widman (1107617) | about 6 years ago | (#24336475)

Your firewall should keep state of outgoing UDP or TCP connections. And AFAIK BIND and others don't pick a fixed source port, the problem is they reuse it.

It's one single change on the firewalls, nobody needs to "reconfigure [their] entire network." And should be easier if as most large organizations the DNS servers are on a DMZ.

Re:Rediculious requirements (4, Funny)

molo (94384) | about 6 years ago | (#24336489)

Maybe if the patch didn't require that open up all incoming and outgoing UDP ports [securitytracker.com] on the DNS interface I could implement it faster.

That is not the case at all. First off, on outbound requests, the destination port is still 53. The _source_ port is what gets randomized. On inbound replies to the randomized port, your stateful firewall will see this as an ESTABLISHED connection and you can safely let it in without blindly opening up the entire UDP port space.

You _are_ running a stateful firewall, right? Its not 1998 anymore.

-molo

Re:Rediculious requirements (1)

felipekk (1007591) | about 6 years ago | (#24337581)

Plus, the ip address of your parent DNS server should not change constantly. Creating a rule to allow connections from any port on your side, to [ns ip address]:53 is not that hard or insecure.

It's not like they are asking you to add 2500 to NAT and allow connections from any address...

Re:Rediculious requirements (1)

Alain Williams (2972) | about 6 years ago | (#24337609)

It would not hurt if NATting firewalls randomised all the outgoing ports, not just for DNS but everything else as well; there are prob other protocols that have similar weaknesses.

Re:Rediculious requirements (1)

lukas84 (912874) | about 6 years ago | (#24339137)

The SonicWALL Appliances we use do exactly that - unless you choose the option "Enable consistent NAT" (which can be necessary to run certain apps).

I'd guess that iptables and pf offer the same functionality.

Well then... (1)

pathological liar (659969) | about 6 years ago | (#24339141)

... now might be the time to look into stateful firewalls, huh?

Well, okay, 'stateful', most modern firewalls should be able to fake a stateful connection for UDP.

Another exploit has been released (0)

Anonymous Coward | about 6 years ago | (#24336659)

In addition to the metasploit module published yesterday, another exploit has just been posted to dailydave [gmane.org] ...

openDNS Makes Bank (0)

Anonymous Coward | about 6 years ago | (#24337577)

It's odd how much traffic is being sent to openDNS now. Only one source for ips sounds like a very bad idea. It's only a matter of time before folks find flaws in openDNS.

running your own resolver (1)

madbavarian (1316065) | about 6 years ago | (#24339383)

I'm surprised that more folks here aren't running their own resolvers. It isn't that hard, especially if you don't need to act as an authoritative server for serving your own domains and just need a recursive resolver. One nice hack you can configure if you run your own resolver is dnssec - cryptographically secured dns lookup. While there aren't many dns zones that are cryptographically signed yet, there are a little over 10,000 (see http://secspider.cs.ucla.edu/ [ucla.edu] ). That is a start. Unless people start using dnssec and demanding that their websites be in secured dns zones, companies won't be bother to do the work needed to configure their dns zones with dnssec. A pdf with simple instructions for setting up dnssec can be found here. I set up my domains and resolvers this way, and it only took an afternoon to get acquainted enough with the concepts to bumble through the instructions. I've been running it for a few days now and it seems to be working just fine. http://www.isc.org/sw/bind/docs/DNSSEC_in_6_minutes.pdf [isc.org]
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>