Posted on 11/30/2009 1:11:45 PM PST by ShadowAce
From the 'Mission Accomplished?' files:
For more than a year now I've heard lots of people in the Internet industry proclaiming DNSSEC (DNS Security Extensions) as the long-term solution to DNS cache poisoning vulnerabilities.
That may not necessarily be the case.
A new vulnerability is now out that attacks DNS servers WITH DNSSSEC installed.
In the summer of 2008, security researcher Dan Kaminsky made the whole world aware of potential security issues with DNS, which could have undermined the integrity of the Internet itself. DNSSEC is supposed to be answer, with most of the world's major Internet registries moving to implement the technology.
So what's up with this new attack? For one, it specifically deals with the ISC BIND 9 DNS server which is widely deployed.
"A nameserver with DNSSEC validation enabled may incorrectly add records to its cache from the additional section of responses received during resolution of a recursive client query," the security advisory from ISC states. "This behavior only occurs when processing client queries with checking disabled (CD) at the same time as requesting DNSSEC records (DO)."So to recap. DNSSEC, the same tech that is supposed to help prevent DNS cache poisoning could itself be poisoned in certain circumstances.
"This problem only affects nameservers that allow recursive queries and are performing DNSSEC validation on behalf of their clients," the ISC states. "It is unlikely to be encountered by most DNSSEC-validating nameservers because queries that might induce a nameserver to exhibit this behavior would not normally be received with CD in combination with DO."
ISC does not have a patch out for this issue, but they do offer a very simple workaround that I'd suggest all DNSSEC BIND users implement immediately.
"Ensure that recursion is restricted appropriately via the 'allow-recursion' option in named.conf," ISC suggests.
Thanks for the ping.
Don’t let your public DNS servers recurse.
We don’t let our DNS servers curse in public, much less recurse....
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.