I earlier wrote about What is DNS and how it works, also we read How OpenDNS works. Recently US-CERT ( United States Computer Emergency Readiness Team) released the vulnerability note VU#800113 stating that many DNS implementations are vulnerable to DNS Cache Poisoning owing to three main reasons:
- Insufficient transaction ID space : The DNS protocol specification includes a transaction ID field of 16 bits. If the specification is correctly implemented and the transaction ID is randomly selected with a strong random number generator, an attacker will require, on average, 32,768 attempts to successfully predict the ID. Some flawed implementations may use a smaller number of bits for this transaction ID, meaning that fewer attempts will be needed. Furthermore, there are known errors with the randomness of transaction IDs that are generated by a number of implementations. Amit Klein researched several affected implementations in 2007. These vulnerabilities are described in the following vulnerability notes:
- Multiple outstanding requests: Some implementations of DNS services contain a vulnerability in which multiple identical queries for the same resource record (RR) will generate multiple outstanding queries for that RR. This condition leads to the feasibility of a ‘birthday attack,’ which significantly raises an attacker’s chance of success. This problem was previously described in VU#457875. A number of vendors and implementations have already added mitigations to address this issue.
- Fixed source port for generating queries: Some current implementations allocate an arbitrary port at startup (sometimes selected at random) and reuse this source port for all outgoing queries. In some implementations, the source port for outgoing queries is fixed at the traditional assigned DNS server port number, 53/udp.
Now the real question is; Do you, as a end user really need to worry about the DNS Vulnerability? In short, the answer is YES.
The effect of the vulnerability is that if it is successfully exploited, a DNS request for a specific name can be forced to return the wrong IP address. So imagine that you’re going to paypal.com and the DNS request that asks “what’s the IP address for paypal.com?” returns an IP address of a hacker’s server instead. A hackers server that is crafted to look like Paypal, but is most definitely not Paypal. How would you know?
DNS-OARC has released a test page which can let you know if your ISP’s DNS is safe and patched or not. You can click on this link to test your DNS. The link generates two charts for your DNS server based on the Source Port Randomness and Transaction ID Randomness.
The test takes a few seconds to complete. When its done you’ll see a page where the transaction ID and source port randomness will be rated either GREAT, GOOD, or POOR. If you see a POOR rating,I would recommend that you contact your local ISP and ask them to apply relevant patches for fixing this DNS vulnerability on their servers, if they don’t have any such plans; try moving on to Open DNS. Its free, safer, faster, smarter and more reliable.
Also read: Hacking Ruby on Rails.
Do stay tuned to Technofriends for more, one of the best ways of doing so is by subscribing to our feeds. You can subscribe to Technofriends feed by clicking here.