DNS Cache poisoning - how to protect myself?

viktor_smk

Member
Feb 18, 2008
19
0
51
Hello!

I recently found out that my server appears vulnerable to DNS Cache Poisoning. I've read the posts in the forum about that issue, but I couldn't find exact fix.

I have the most recent versions of bind:

# rpm -qa | grep ^bind
bind-libs-9.3.4-6.0.2.P1.el5_2
bind-9.3.4-6.0.2.P1.el5_2
bind-devel-9.3.4-6.0.2.P1.el5_2
bind-utils-9.3.4-6.0.2.P1.el5_2


When I try
# yum update bind
it comes out:
No Packages marked for Update

What can I do to fix the vulnerability?

Thanks a lot for the answers!
 

Vinayak

Well-Known Member
Jun 27, 2003
288
5
168
Bharat
cPanel Access Level
Root Administrator
Is your DNS open for all to query even for domain not hosted with you, so you can fix these issue by tweaking your named .conf located at /etc

Compare your named.conf entries with the below given:

include "/etc/rndc.key";

controls {
inet 127.0.0.1 allow { localhost; } keys { "rndckey"; };
};

// Default named.conf generated by install of bind-9.2.4-24.EL4
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
version "This is a Secure DNS Server";

allow-transfer {
127.0.0.1;
your.first.ip;
your.second.ip;
your.third.ip;
};

allow-recursion {
127.0.0.1;
your.first.ip;
your.second.ip;
your.third.ip;
};
};
Here by specifying the line:
version "This is a Secure DNS Server";
You are not disclosing the DNS application name.

And by specifying
allow-transfer {
127.0.0.1;
your.first.ip;
your.second.ip;
your.third.ip;
};


You are restricting transfer only to your own server,

And by specifying
allow-recursion {
127.0.0.1;
your.first.ip;
your.second.ip;
your.third.ip;
};


You are restricting recursion only to your own server.

Hope this will help you.
 

viktor_smk

Member
Feb 18, 2008
19
0
51
Thanks, Vinsar!

I compared the configuration, it doesn't seam to differ as much. Here is my configuration:

Code:
acl "abusers" {
        212.72.210.131;
};

acl "trusted-nameservers" {
        localhost;
        195.145.63.120;
        216.75.158.130;
};

acl "live-sites" {
        213.226.56.240;
};


key "rndc-key" {
        algorithm hmac-md5;
        secret "qSTHkfjemt1Bu77fWw4p/A==";
};
controls {
        inet 127.0.0.1 port 953
        allow { 127.0.0.1; } keys { "rndc-key"; };
};

acl "my-nameservers" {
        localhost;
        195.145.63.120;
        216.75.158.130;
};

server 194.145.63.120 {
        transfer-format many-answers;
        keys { prim-sec1 ; };
};

options {
        directory "/etc/namedb";
        allow-transfer { trusted-nameservers; };

        allow-recursion { 127.0.0.1; 195.145.63.120; 216.75.158.130; };
        blackhole { abusers; };
        version "Guess what? no luck dude!";
};

logging {
        channel security { file "/var/log/sec-query.log"; print-time yes; };
        channel querylog { file "/var/log/bind9-query.log"; print-time yes; };
        category queries { querylog; };
        category lame-servers { null; };
        category security { security; };
};
... and below are the zones.
195.145.63.120 is the IP of the server, and 216.75.158.130 is the IP of the master DNS (195.145.63.120 works as a slave server).

Is there anything wrong in the configuration?

Thanks again!
 

viktor_smk

Member
Feb 18, 2008
19
0
51
I've tested with the test tool on dnsstuff.com and is says:

The DNS server at IP address 195.145.63.120 is susceptible to a DNS cache poisoning attack. The server is not changing its source port, query id, or both, between queries.
Based on the results, the DNS server is vulnerable if the IPs AND the source ports match, or the query IDs match. Matching query source ports or query IDs make it easier to spoof fake results to the DNS server, poisoning its cache.

With other servers the query souce ports do not match. How can I set my named that the source ports not match?

Thanks in advance!
 

Vinayak

Well-Known Member
Jun 27, 2003
288
5
168
Bharat
cPanel Access Level
Root Administrator

viktor_smk

Member
Feb 18, 2008
19
0
51
Thank you again!

I've tried that, but no success :(

I just want the source ports of the queries to be different. I've set query-source port *; in the options section, but no success again ...

What more can I try?

Thanks a lot again!
 

viktor_smk

Member
Feb 18, 2008
19
0
51
I just reinstalled BIND with the new patched version and the problem was solved. Thanks for the help! :)