BIND recursive resolver exploit?

• Previous message: BIND recursive resolver exploit?
• Next message: BIND recursive resolver exploit?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2008-07-22 at 13:45 -0700, David Wolfskill wrote:

> The FreeBSD lists have been fairly active recently in discussing the
> (somewhat-)recently disclosed vulnerability in BIND that (IIRC) targets
> recursive resolvers (by poisoning their caches).
> 
> I'm mildly surprised that there's not been more discussion of it here,
> as it does cross OS lines pretty thoroughly.
> 
> The current circumvention appears to be to ensure that DNS query source
> ports are properly randomized, while the purported fix is to implement
> DNSSEC.
> 
> For my name servers, I configure them so that they only honor recursive
> queries from within my network; I gather, though, that this does not
> avoid the issue, as it would still be possible to place a reference
> (e.g., a URL) to a particular DNS zone to cause my name server to
> perform a query that is at least strongly influenced by an untrusted
> party outside my network.
> 
> Comments?  Or is this all old hat?
> 
> Peace,
> david


>From what I have been reading, the issue is that the nounce (query ID)
is just 16 bits.

There seems to be two issues.

The first is that the random number generators (used to create the
nounce) tend to not
be random enough.

The second is that 16 bit nounce is not enough space.

So there are a couple fixes:

Best fix is a protocol update to move the nounce from 16 bits to 128
bits.  Not immediately
feasible due to cross implementation issues/backwards compatibility.

Use DNSSEC.  Not really feasible because of compute resources for zone
signing/signature
authentication/trust infrastructure build-out.

Work around:

Fix the random number generator.

Artificially extend the nounce by making the source port part of it.
What you will see is that
every outbound query will have a different random source port.  So, if
you have 200 concurrent
recursive queries out in the wild, you will have 200 random open UDP
ports.  (One per query.)

This extension of the nounce is the main part of the patches going out.
Almost all of the
implementations pick a random port (which can be locked down to a
specific port in the config)
at start and stick with it for all queries.

--
END OF LINE
        --MCP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.baylisa.org/pipermail/baylisa/attachments/20080722/76dc4c7f/attachment.html>

• Previous message: BIND recursive resolver exploit?
• Next message: BIND recursive resolver exploit?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]