Results 1 to 6 of 6

Thread: Check your DNS - Word to the Wise

  1. #1
    dwmtractor's Avatar
    dwmtractor is offline Moderator
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    10

    Default Check your DNS - Word to the Wise

    This is off-topic for Zimbra, but a lot of you administer systems, and I, at least, had not heard of this until I stumbled across it today. Apparently there's a basic flaw in the architecture of DNS servers -- ALL DNS servers, regardless if they're Windows, Linux, whatever -- that invites poisoning of the DNS cache. While there has not yet been any known exploit of this vulnerability, it's likely it'll happen fast now that the flaw is public, and it's a goldmine for phishers and other identity thieves.

    Windows Update includes fixes for your Microsoft servers, most Linux publishers include information for fixes for bind and bind9, so the ability to patch your own systems is out there and you should do it. Unfortunately, it's not just your servers you have to worry about, though; it's also your ISP's servers if you forward to them (which you probably do). So you need to verify if they have done their homework and patched theirs (hint, my AT&T forwarders are NOT patched).

    Take a look at this article Opinion: Fix your flawed DNS ... NOW! and the vulnerability tester on this website DoxPara Research.

    I don't like "the sky is falling" emails any more than the next guy. . .and the sky isn't falling yet, but you should really pay attention to this one, as you can be sure the Black Hats already are. . .
    Cheers,

    Dan

  2. #2
    mdeneen is offline Active Member
    Join Date
    Jul 2007
    Posts
    45
    Rep Power
    8

    Default

    Just for clarification, not all dns caches are vulnerable. If you are using dnscache, part of the djbdns suite, you are in the clear. dnscache uses source port randomization.

    From the article: An Astonishing Collaboration : DoxPara Research

    "DJB was right. All those years ago, Dan J. Bernstein was right: Source Port Randomization should be standard on every name server in production use."


    I'm a big fan of dnscache and tinydns for exactly this reason. There have been no updates to the software since 2001 and it is still strong and secure. Dan really knew what he was doing when he wrote it.

  3. #3
    y@w's Avatar
    y@w
    y@w is offline Moderator
    Join Date
    Jan 2008
    Posts
    658
    Rep Power
    8

    Default

    I've been terrible about watching the news on this but I did catch wind of a patch from Red Hat that was overwriting the config file for BIND. I believe they've fixed it, but watch for that as well

  4. #4
    dwmtractor's Avatar
    dwmtractor is offline Moderator
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    10

    Default

    Quote Originally Posted by y@w View Post
    I've been terrible about watching the news on this but I did catch wind of a patch from Red Hat that was overwriting the config file for BIND. I believe they've fixed it, but watch for that as well
    True for Ubuntu as well. A simple apt-get upgrade installs the patch.
    Cheers,

    Dan

  5. #5
    y@w's Avatar
    y@w
    y@w is offline Moderator
    Join Date
    Jan 2008
    Posts
    658
    Rep Power
    8

    Default

    Oh good to know. I thought it was just restricted to Red Hat.

    Thanks!

  6. #6
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. ZCS ROCKS! Need some DNS help!
    By SiteDiscovery in forum Administrators
    Replies: 9
    Last Post: 12-30-2006, 10:50 PM
  2. DNS in a nutshell part two (For dummies)
    By daimer77 in forum Installation
    Replies: 4
    Last Post: 12-18-2006, 06:28 PM
  3. DNS Strategies and Best Practices, and a SLES10 Request
    By LMStone in forum Administrators
    Replies: 4
    Last Post: 10-14-2006, 07:51 AM
  4. Quick DNS check
    By phoenix in forum Administrators
    Replies: 0
    Last Post: 04-25-2006, 08:22 AM
  5. Errors delivering mail with zcs-NETWORK-3.0.0_GA_156
    By billybofh in forum Administrators
    Replies: 4
    Last Post: 02-14-2006, 08:57 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •