Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

DNSSEC under attack?
Internet News ^ | 25 November 2009 | Sean Michael Kerner

Posted on 11/30/2009 1:11:45 PM PST by ShadowAce

From the 'Mission Accomplished?' files:

For more than a year now I've heard lots of people in the Internet industry proclaiming DNSSEC (DNS Security Extensions) as the long-term solution to DNS cache poisoning vulnerabilities.

That may not necessarily be the case.

A new vulnerability is now out that attacks DNS servers  WITH DNSSSEC installed.

In the summer of 2008, security researcher Dan Kaminsky made the whole world aware of potential security issues with DNS, which could have undermined the integrity of the Internet itself. DNSSEC is supposed to be answer, with most of the world's major Internet registries moving to implement the technology.

So what's up with this new attack? For one, it specifically deals with the ISC BIND 9 DNS server which is widely deployed.

"A nameserver with DNSSEC validation enabled may incorrectly add records to its cache from the additional section of responses received during resolution of a recursive client query," the security advisory from ISC states. "This behavior only occurs when processing client queries with checking disabled (CD) at the same time as requesting DNSSEC records (DO)."
So to recap. DNSSEC, the same tech that is supposed to help prevent DNS cache poisoning could itself be poisoned in certain circumstances.


Aside from the obvious irony of the situation, it's actually not as big a problem as you might think at first glance.

While the vulnerability can occur, it's not likely to be exploited and according to the ISC, it isn't aware of any public exploits (yet).

"This problem only affects nameservers that allow recursive queries and are performing DNSSEC validation on behalf of their clients," the ISC states. "It is unlikely to be encountered by most DNSSEC-validating nameservers because queries that might induce a nameserver to exhibit this behavior would not normally be received with CD in combination with DO."

ISC does not have a patch out for this issue, but they do offer a very simple workaround that I'd suggest all DNSSEC BIND users implement immediately.

"Ensure that recursion is restricted appropriately via the 'allow-recursion' option in named.conf," ISC suggests.



TOPICS: Computers/Internet
KEYWORDS: dns; vulnerability

1 posted on 11/30/2009 1:11:46 PM PST by ShadowAce
[ Post Reply | Private Reply | View Replies]

To: rdb3; Calvinist_Dark_Lord; GodGunsandGuts; CyberCowboy777; Salo; Bobsat; JosephW; ...

2 posted on 11/30/2009 1:12:22 PM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

Thanks for the ping.


3 posted on 11/30/2009 2:01:31 PM PST by GOPJ (Anthropogenic global warming-the most costly and widespread scientific FRAUD in history-James Lewis)
[ Post Reply | Private Reply | To 2 | View Replies]

To: ShadowAce

Don’t let your public DNS servers recurse.


4 posted on 11/30/2009 3:01:11 PM PST by zeugma (Proofread a page a day: http://www.pgdp.net/)
[ Post Reply | Private Reply | To 1 | View Replies]

To: zeugma

We don’t let our DNS servers curse in public, much less recurse....


5 posted on 11/30/2009 4:46:12 PM PST by mikrofon ('Net Bump)
[ Post Reply | Private Reply | To 4 | View Replies]

To: ShadowAce
ACHTUNG! ACHTUNG!
ALLES TURISTEN UND NONTEKNISCHEN LOOKENPEEPERS!

DAS KOMPUTERMASCHINE IST NICHT FÜR DER GEFINGERPOKEN UND MITTENGRABEN! ODERWISE IST EASY TO SCHNAPPEN DER SPRINGENWERK, BLOWENFUSEN UND POPPENCORKEN MIT SPITZENSPARKSEN.

IST NICHT FÜR GEWERKEN BEI DUMMKOPFEN. DER RUBBERNECKEN SIGHTSEEREN KEEPEN DAS COTTONPICKEN HÄNDER IN DAS POCKETS MUSS.

ZO RELAXEN UND WATSCHEN DER BLINKENLICHTEN.


...and I say this recursively to all.
6 posted on 12/01/2009 8:30:30 AM PST by papasmurf (You betcha!)
[ Post Reply | Private Reply | To 2 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson