[Dshield] DNS Security announcement (ISC version)
alan at clegg.com
Tue Jul 8 20:11:57 GMT 2008
-----BEGIN PGP SIGNED MESSAGE-----
CERT VU#800113 DNS Cache Poisoning Issue
ISC characterization: Query Port Randomization for BIND 9
ANYONE RUNNING BIND AS A CACHING RESOLVER IS AFFECTED.
No known exploits to-date
DNSSEC is the only solution. Available versions of BIND that provide
Note: BIND8 is also vulnerable, but it has reached end-of-life and is
no longer supported by ISC.
Thanks to recent work by Dan Kaminsky of IOActive, ISC has become aware
of a potential attack exploiting weaknesses in the DNS protocol itself.
(Full details of the vulnerability will be explained by Kaminsky at
the Black Hat conference on August 7th.) The weakness is inherent to
the DNS protocol and not specific to any single implementation. The DNS
protocol uses the Query ID field to match incoming responses to
previously sent queries. The Query ID field is only 16 bits, which
makes it an easy target to exploit in the particular spoofing scenario
described by Kaminsky.
Immediate action required:
IF YOU ARE RUNNING BIND AS A CACHING RESOLVER YOU NEED TO TAKE ACTION.
DNSSEC is the only definitive solution for this issue. Understanding
that immediate DNSSEC deployment is not a realistic expectation, ISC is
releasing patched versions of BIND that improve its resilience against
The method used in the patches and beta releases makes it harder to
spoof answers to a resolver by expanding the range of UDP ports from
which queries are sent by the nameserver, thereby increasing the
variability of parameters in outgoing queries.
WE URGE YOU TO INSTALL EITHER THE PATCHES (9.5.0-P1, 9.4.2-P1, 9.3.5-P1)
OR THE BETA RELEASES (9.5.1B1, 9.4.3B2) IMMEDIATELY.
The patches will have a noticeable impact on the performance of BIND
caching resolvers with query rates at or above 10,000 queries per
second. The beta releases include optimized code that will reduce the
impact in performance to non-significant levels.
DNS administrators who operate these servers behind port-restricted
firewalls are encouraged to review their firewall policies to allow this
protocol-compliant behavior. Restricting the possible use of various
UDP ports, for instance at the firewalls, in outgoing queries and the
corresponding replies will result in decreased security for the DNS service.
Again, DNSSEC is the definitive solution to this type of attack. ISC
strongly encourages DNS administrators to deploy DNSSEC as soon as
possible to fully address this problem. DNS domain owners that want
their data to be protected against spoofing to the end-user must sign
their zones. ISP and Enterprise DNS administrators who provide caching
recursive nameservers to their users should enable DNSSEC validation.
DNSSEC Lookaside Validation (DLV), offered by ISC and others, is another
DNSSEC deployment option.
Additional Assistance and resources available from ISC:
BIND 9 software support - http://www.isc.org/sw/support/
Managed caching resolvers: Through September 30, 2008, ISC support
customers have the option of forwarding their recursive servers queries
to caching resolvers deployed on ISC's SNS production network while the
required software upgrades are performed on their own networks. For
additional information on this option, please open a ticket in your
support queue with the subject line including "forwarder service."
ISC DLV: https://secure.isc.org/ops/dlv/
DNSSEC tools & presentations:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the list