DNS Cache poisoning - how to protect myself?

[viktor_smk]

Hello!

I recently found out that my server appears vulnerable to DNS Cache Poisoning. I've read the posts in the forum about that issue, but I couldn't find exact fix.

I have the most recent versions of bind:

# rpm -qa | grep ^bind
bind-libs-9.3.4-6.0.2.P1.el5_2
bind-9.3.4-6.0.2.P1.el5_2
bind-devel-9.3.4-6.0.2.P1.el5_2
bind-utils-9.3.4-6.0.2.P1.el5_2

When I try
# yum update bind
it comes out:
No Packages marked for Update

What can I do to fix the vulnerability?

Thanks a lot for the answers!

 

[Vinayak]

Is your DNS open for all to query even for domain not hosted with you, so you can fix these issue by tweaking your named .conf located at /etc

Compare your named.conf entries with the below given:

include "/etc/rndc.key";

controls {
inet 127.0.0.1 allow { localhost; } keys { "rndckey"; };
};

// Default named.conf generated by install of bind-9.2.4-24.EL4
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
version "This is a Secure DNS Server";

allow-transfer {
127.0.0.1;
your.first.ip;
your.second.ip;
your.third.ip;
};

allow-recursion {
127.0.0.1;
your.first.ip;
your.second.ip;
your.third.ip;
};
};

Here by specifying the line:
version "This is a Secure DNS Server";
You are not disclosing the DNS application name.

And by specifying
allow-transfer {
127.0.0.1;
your.first.ip;
your.second.ip;
your.third.ip;
};

You are restricting transfer only to your own server,

And by specifying
allow-recursion {
127.0.0.1;
your.first.ip;
your.second.ip;
your.third.ip;
};

You are restricting recursion only to your own server.

Hope this will help you.

 

[viktor_smk]

Thanks, Vinsar!

I compared the configuration, it doesn't seam to differ as much. Here is my configuration:

acl "abusers" {
        212.72.210.131;
};

acl "trusted-nameservers" {
        localhost;
        195.145.63.120;
        216.75.158.130;
};

acl "live-sites" {
        213.226.56.240;
};


key "rndc-key" {
        algorithm hmac-md5;
        secret "qSTHkfjemt1Bu77fWw4p/A==";
};
controls {
        inet 127.0.0.1 port 953
        allow { 127.0.0.1; } keys { "rndc-key"; };
};

acl "my-nameservers" {
        localhost;
        195.145.63.120;
        216.75.158.130;
};

server 194.145.63.120 {
        transfer-format many-answers;
        keys { prim-sec1 ; };
};

options {
        directory "/etc/namedb";
        allow-transfer { trusted-nameservers; };

        allow-recursion { 127.0.0.1; 195.145.63.120; 216.75.158.130; };
        blackhole { abusers; };
        version "Guess what? no luck dude!";
};

logging {
        channel security { file "/var/log/sec-query.log"; print-time yes; };
        channel querylog { file "/var/log/bind9-query.log"; print-time yes; };
        category queries { querylog; };
        category lame-servers { null; };
        category security { security; };
};

... and below are the zones.
195.145.63.120 is the IP of the server, and 216.75.158.130 is the IP of the master DNS (195.145.63.120 works as a slave server).

Is there anything wrong in the configuration?

Thanks again!

 

[viktor_smk]

I've tested with the test tool on dnsstuff.com and is says:

The DNS server at IP address 195.145.63.120 is susceptible to a DNS cache poisoning attack. The server is not changing its source port, query id, or both, between queries.
Based on the results, the DNS server is vulnerable if the IPs AND the source ports match, or the query IDs match. Matching query source ports or query IDs make it easier to spoof fake results to the DNS server, poisoning its cache.

With other servers the query souce ports do not match. How can I set my named that the source ports not match?

Thanks in advance!

 

[Vinayak]

Hopefully you must have seen this http://www.webhostgear.com/321.html

Additionally to that, your /etc/host.conf should look like this:

order hosts,bind
nospoof on

Some some where had also suggested it to be as:

order hosts,bind
multi on
nospoof on

Though I have not checked with multi on.

 

[viktor_smk]

Thank you again!

I've tried that, but no success

I just want the source ports of the queries to be different. I've set query-source port *; in the options section, but no success again ...

What more can I try?

Thanks a lot again!

 

[viktor_smk]

I just reinstalled BIND with the new patched version and the problem was solved. Thanks for the help!