The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DNS Cache poisoning - how to protect myself?

Discussion in 'Security' started by viktor_smk, Jul 16, 2008.

  1. viktor_smk

    viktor_smk Member

    Joined:
    Feb 18, 2008
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    0
    Hello!

    I recently found out that my server appears vulnerable to DNS Cache Poisoning. I've read the posts in the forum about that issue, but I couldn't find exact fix.

    I have the most recent versions of bind:

    # rpm -qa | grep ^bind
    bind-libs-9.3.4-6.0.2.P1.el5_2
    bind-9.3.4-6.0.2.P1.el5_2
    bind-devel-9.3.4-6.0.2.P1.el5_2
    bind-utils-9.3.4-6.0.2.P1.el5_2


    When I try
    # yum update bind
    it comes out:
    No Packages marked for Update

    What can I do to fix the vulnerability?

    Thanks a lot for the answers!
     
  2. Vinayak

    Vinayak Well-Known Member

    Joined:
    Jun 27, 2003
    Messages:
    267
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Bharat
    cPanel Access Level:
    Root Administrator
    Is your DNS open for all to query even for domain not hosted with you, so you can fix these issue by tweaking your named .conf located at /etc

    Compare your named.conf entries with the below given:

    Here by specifying the line:
    version "This is a Secure DNS Server";
    You are not disclosing the DNS application name.

    And by specifying
    allow-transfer {
    127.0.0.1;
    your.first.ip;
    your.second.ip;
    your.third.ip;
    };


    You are restricting transfer only to your own server,

    And by specifying
    allow-recursion {
    127.0.0.1;
    your.first.ip;
    your.second.ip;
    your.third.ip;
    };


    You are restricting recursion only to your own server.

    Hope this will help you.
     
  3. viktor_smk

    viktor_smk Member

    Joined:
    Feb 18, 2008
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    0
    Thanks, Vinsar!

    I compared the configuration, it doesn't seam to differ as much. Here is my configuration:

    Code:
    acl "abusers" {
            212.72.210.131;
    };
    
    acl "trusted-nameservers" {
            localhost;
            195.145.63.120;
            216.75.158.130;
    };
    
    acl "live-sites" {
            213.226.56.240;
    };
    
    
    key "rndc-key" {
            algorithm hmac-md5;
            secret "qSTHkfjemt1Bu77fWw4p/A==";
    };
    controls {
            inet 127.0.0.1 port 953
            allow { 127.0.0.1; } keys { "rndc-key"; };
    };
    
    acl "my-nameservers" {
            localhost;
            195.145.63.120;
            216.75.158.130;
    };
    
    server 194.145.63.120 {
            transfer-format many-answers;
            keys { prim-sec1 ; };
    };
    
    options {
            directory "/etc/namedb";
            allow-transfer { trusted-nameservers; };
    
            allow-recursion { 127.0.0.1; 195.145.63.120; 216.75.158.130; };
            blackhole { abusers; };
            version "Guess what? no luck dude!";
    };
    
    logging {
            channel security { file "/var/log/sec-query.log"; print-time yes; };
            channel querylog { file "/var/log/bind9-query.log"; print-time yes; };
            category queries { querylog; };
            category lame-servers { null; };
            category security { security; };
    };
    
    ... and below are the zones.
    195.145.63.120 is the IP of the server, and 216.75.158.130 is the IP of the master DNS (195.145.63.120 works as a slave server).

    Is there anything wrong in the configuration?

    Thanks again!
     
  4. viktor_smk

    viktor_smk Member

    Joined:
    Feb 18, 2008
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    0
    I've tested with the test tool on dnsstuff.com and is says:

    The DNS server at IP address 195.145.63.120 is susceptible to a DNS cache poisoning attack. The server is not changing its source port, query id, or both, between queries.
    Based on the results, the DNS server is vulnerable if the IPs AND the source ports match, or the query IDs match. Matching query source ports or query IDs make it easier to spoof fake results to the DNS server, poisoning its cache.

    With other servers the query souce ports do not match. How can I set my named that the source ports not match?

    Thanks in advance!
     
  5. Vinayak

    Vinayak Well-Known Member

    Joined:
    Jun 27, 2003
    Messages:
    267
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Bharat
    cPanel Access Level:
    Root Administrator
    Hopefully you must have seen this http://www.webhostgear.com/321.html

    Additionally to that, your /etc/host.conf should look like this:

    Some some where had also suggested it to be as:

    Though I have not checked with multi on.
     
  6. viktor_smk

    viktor_smk Member

    Joined:
    Feb 18, 2008
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    0
    Thank you again!

    I've tried that, but no success :(

    I just want the source ports of the queries to be different. I've set query-source port *; in the options section, but no success again ...

    What more can I try?

    Thanks a lot again!
     
  7. viktor_smk

    viktor_smk Member

    Joined:
    Feb 18, 2008
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    0
    I just reinstalled BIND with the new patched version and the problem was solved. Thanks for the help! :)
     
Loading...

Share This Page