Comments on: What Dan’s DNS Checker Doesn’t Do http://www.veracode.com/blog/2008/07/what-dans-dns-checker-doesnt-do/ Application security testing, analysis, and metrics Tue, 15 May 2012 22:16:53 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Jesse Cantu http://www.veracode.com/blog/2008/07/what-dans-dns-checker-doesnt-do/comment-page-1/#comment-1959 Jesse Cantu Sun, 20 Jul 2008 16:51:17 +0000 http://www.veracode.com/blog/?p=120#comment-1959 @Chris Eng This is a pretty interesting take on it. I hadn't even thought about it before, but you're right... regarding the NAT issue, that has huge implications across the Internet and deep within the consumer-base itself. Incidentally, theReformed was running a poll on Dan's find posted the other day, so far Dan seems to be coming out on top with the people http://thereformed.org/2008/07/19/poll-dan-kaminskys-dns-poisoning-bug/ . @Dan Kaminsky How does this not effect DJBDNS? I know DJB has campaigned for years against BIND's flawed existence, why hasn't his product received wider adoption? @Chris Eng
This is a pretty interesting take on it. I hadn’t even thought about it before, but you’re right… regarding the NAT issue, that has huge implications across the Internet and deep within the consumer-base itself.

Incidentally, theReformed was running a poll on Dan’s find posted the other day, so far Dan seems to be coming out on top with the people http://thereformed.org/2008/07/19/poll-dan-kaminskys-dns-poisoning-bug/ .

@Dan Kaminsky
How does this not effect DJBDNS? I know DJB has campaigned for years against BIND’s flawed existence, why hasn’t his product received wider adoption?

]]> By: Dan Kaminsky http://www.veracode.com/blog/2008/07/what-dans-dns-checker-doesnt-do/comment-page-1/#comment-1942 Dan Kaminsky Sat, 19 Jul 2008 00:18:40 +0000 http://www.veracode.com/blog/?p=120#comment-1942 Information about working around the NAT issue just hit my website. Information about working around the NAT issue just hit my website.

]]> By: Chris Eng http://www.veracode.com/blog/2008/07/what-dans-dns-checker-doesnt-do/comment-page-1/#comment-1923 Chris Eng Wed, 16 Jul 2008 01:41:21 +0000 http://www.veracode.com/blog/?p=120#comment-1923 @Hoff: I've been waiting for someone to respond in an official capacity to the question you and Tom Cross raised. I guess this is the closest thing so far: http://www.circleid.com/posts/87143_dns_not_a_guessing_game/ @Hoff:

I’ve been waiting for someone to respond in an official capacity to the question you and Tom Cross raised.

I guess this is the closest thing so far:
http://www.circleid.com/posts/87143_dns_not_a_guessing_game/

]]> By: Christofer Hoff http://www.veracode.com/blog/2008/07/what-dans-dns-checker-doesnt-do/comment-page-1/#comment-1593 Christofer Hoff Fri, 11 Jul 2008 02:24:23 +0000 http://www.veracode.com/blog/?p=120#comment-1593 I'm also interested in the comments highlighted by Tom Cross from IBM/ISS X-force reiterating a comment sent to FD regarding DNS and NAT devices. You can find Tom's post here: http://blogs.iss.net/archive/dnsnat.html " I’m writing this blog post in order to draw more attention to that observation, as I’m not sure that the security industry has realized its full implications. As far as we know, this observation applies to any NAT device, not just the firewall imipack tested, and we think it has significant implications for network architecture. When a host on a computer network selects a source port for a UDP request, it selects a port that is unique for that host. When a one-to-many hiding NAT device receives that request and translates it, it has to assign a new source port, because the NAT device has to assign unique ports for all of the hosts on the internal network. X-Force is not aware of any NAT device on the market that randomly selects UDP source ports. Therefore, when patched DNS clients and servers are used behind NAT, they are still vulnerable to attack. The source port entropy introduced by the recent patches is cancelled out by the NAT device. It is our opinion that network administrators who have caching internal DNS servers behind NAT should plan to move those servers into a DMZ where they can be directly assigned a unique Internet IP address. Any servers that remain behind NAT devices will remain vulnerable after patches have been applied, and X-Force suspects that given the amount of media attention DNS Cache Poisoning has received this week that an increased frequency of attack is likely in the coming months." What say thee to that? Patching may not be enough if you physically have to move DNS servers to what amounts to DMZ's and then expose them with 1-to-1 NAT's instead of hides...oh the fun. /Hoff I’m also interested in the comments highlighted by Tom Cross from IBM/ISS X-force reiterating a comment sent to FD regarding DNS and NAT devices. You can find Tom’s post here: http://blogs.iss.net/archive/dnsnat.html

” I’m writing this blog post in order to draw more attention to that observation, as I’m not sure that the security industry has realized its full implications. As far as we know, this observation applies to any NAT device, not just the firewall imipack tested, and we think it has significant implications for network architecture.

When a host on a computer network selects a source port for a UDP request, it selects a port that is unique for that host. When a one-to-many hiding NAT device receives that request and translates it, it has to assign a new source port, because the NAT device has to assign unique ports for all of the hosts on the internal network. X-Force is not aware of any NAT device on the market that randomly selects UDP source ports. Therefore, when patched DNS clients and servers are used behind NAT, they are still vulnerable to attack. The source port entropy introduced by the recent patches is cancelled out by the NAT device.

It is our opinion that network administrators who have caching internal DNS servers behind NAT should plan to move those servers into a DMZ where they can be directly assigned a unique Internet IP address. Any servers that remain behind NAT devices will remain vulnerable after patches have been applied, and X-Force suspects that given the amount of media attention DNS Cache Poisoning has received this week that an increased frequency of attack is likely in the coming months.”

What say thee to that? Patching may not be enough if you physically have to move DNS servers to what amounts to DMZ’s and then expose them with 1-to-1 NAT’s instead of hides…oh the fun.

/Hoff

]]> By: Chris Eng http://www.veracode.com/blog/2008/07/what-dans-dns-checker-doesnt-do/comment-page-1/#comment-1586 Chris Eng Fri, 11 Jul 2008 02:02:46 +0000 http://www.veracode.com/blog/?p=120#comment-1586 @Dan: Ah, so I'm not going crazy then. Thought that looked suspect. @Dan:

Ah, so I’m not going crazy then. Thought that looked suspect.

]]> By: Dan Kaminsky http://www.veracode.com/blog/2008/07/what-dans-dns-checker-doesnt-do/comment-page-1/#comment-1567 Dan Kaminsky Thu, 10 Jul 2008 23:23:10 +0000 http://www.veracode.com/blog/?p=120#comment-1567 *sighs* There's a bug in the code. Note that's not very random. *sighs*

There’s a bug in the code. Note that’s not very random.

]]>