RE: Windows DNS Cache Poisoning by Forwarder DNS Spoofing
I appreciate you replying, but I understand the Windows DNS attack well. I'm just wondering how and if BIND protects against the same attack, and if yes, how? Roger * *Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada... *email: [EMAIL PROTECTED] or [EMAIL PROTECTED] *Author of Professional Windows Desktop and Server Hardening (Wrox) *http://www.amazon.com/gp/product/0764599909 * -Original Message- From: Tim [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 17, 2007 5:27 PM To: Roger A. Grimes Cc: bugtraq@securityfocus.com Subject: Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Roger, This is what I know about it, since no one else seems to be giving you more info... > As described above, Windows DNS is vulnerable to the cache poisoning > attack through the forwarder DNS server. This seems because Windows > DNS blindly trusts replies from forwarder DNS and caches every > resource records regardless of their domain. The original vulnerability was the issue that Windows DNS server accepts records from unauthoritative sources. This was partially fixed with some registry setting (insanely off by default), but it turned out if Windows was using an upstream resolver (i.e. not going directly to the roots), then it was still vulnerable. This is the vulnerability which is specific to Windows DNS (though Symantec's also had it, I think). For instance, if a Windows DNS cache asks for example.org, and receives records for example.org and org (TLD), then it will blindly believe it, under certain conditions. BIND does not do this, AFAIK, and neither does any correctly implemented DNS cache. The attack described just now, is that this vulnerability combined with the traditional "birthday" attack scenario allows another form of attack. The birthday attacks in general are still possible on any DNS server which doesn't randomize source ports, but may be more difficult to conduct than this new attack. (I'm not sure, I haven't run the numbers.) Hope this clears it up. If you're interested in running a more secure DNS cache, try djbdns' dnscache. tim PS- Please correct me if I messed up any of the details on the Windows DNS vulnerability. This is all straight from memory... didn't double-check my sources.
Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing
>The attack described just now, is that this vulnerability combined with >the traditional "birthday" attack scenario allows another form of >attack. The birthday attacks in general are still possible on any DNS >server which doesn't randomize source ports, but may be more difficult >to conduct than this new attack. (I'm not sure, I haven't run the >numbers.) Thank you for the clarification, Tim. That is exactly what I wanted to say. :) By the way, as regards recent Bind 9, birthday attack is much more difficult to conduct because even if the attacker sends multiple simultaneous recursive queries, Bind 9 aggregates these queries. In addition, there is a patch written by Jinmei-san for Bind 9.4.0 (current release) to randomize source ports. http://www.jinmei.org/bind-9.4.0-portpool.patch http://member.wide.ad.jp/tr/wide-tr-dns-bind9-portpool-01.txt (technical report from WIDE project in Japanese) Makoto Shiotsuki
Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing
[Bojan Zdrnja] > I'm not sure what's the story with other DNS servers (djbdns, for > example). In regard to djbdns, I believe that that's answered at: http://cr.yp.to/djbdns/dnscache.html where it says: dnscache does not cache (or pass along) records outside the server's bailiwick; those records could be poisoned. Records for foo.dom, for example, are accepted only from the root servers, the dom servers, and the foo.dom servers. Regards, Matt
Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing
Hello Makoto, > Thank you for the clarification, Tim. > That is exactly what I wanted to say. :) > > By the way, as regards recent Bind 9, birthday attack is much more > difficult to conduct because even if the attacker sends multiple > simultaneous recursive queries, Bind 9 aggregates these queries. Aggregating queries would definitely help if you assume the attacker can make recursive queries. However, it was my understanding (which could be completely wrong) that BIND 9 reuses sockets for multiple queries, unlike previous versions, and this makes spoofed attacks easier in another respect. (Of course this all has nothing to do with the Windows-specific flaw.) > In addition, there is a patch written by Jinmei-san for Bind 9.4.0 > (current release) to randomize source ports. > > http://www.jinmei.org/bind-9.4.0-portpool.patch > http://member.wide.ad.jp/tr/wide-tr-dns-bind9-portpool-01.txt > (technical report from WIDE project in Japanese) That's good, that at least someone is trying to do this in BIND. thanks for the info, tim
Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing
Hi Roger, On 4/18/07, Roger A. Grimes <[EMAIL PROTECTED]> wrote: How does BIND stop this sort of attack? Can a BIND expert respond? I'm not a BIND expert but I can (hopefully) tell you what's happening. Basically, Windows 2000 forwarding to BIND If you have BIND < v9, it will retrieve the reply but will not strip out authority RRs. BIND will send this back to the Windows DNS server which will happily cache everything, trusting BIND. In BIND v9 this was fixed because it will delete this (extra) data before sending the reply back to the Windows DNS server (that's why it's very important to upgrade your DNS servers to BIND v9). I'm not sure what's the story with other DNS servers (djbdns, for example). Cheers, Bojan
Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing
> I appreciate you replying, but I understand the Windows DNS attack well. > I'm just wondering how and if BIND protects against the same attack, and > if yes, how? Well, as the main vulnerability implies, a sane DNS cache wouldn't accept a record that wasn't requested. If I ask for A, and I get A and B back, and B isn't reasonably related to A, ignore B. I'm not saying BIND is sane, but from what I understand, in this case they got it right. The birthday attack is merely another vector to exploit the real problem. tim
Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing
>One question. Is BIND any better at preventing this type of attack? As far as I know, this vulnerability is specific to the Windows DNS. Makoto Shiotsuki
Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing
Roger, This is what I know about it, since no one else seems to be giving you more info... > As described above, Windows DNS is vulnerable to the cache poisoning > attack through the forwarder DNS server. This seems because Windows DNS > blindly trusts replies from forwarder DNS and caches every resource > records regardless of their domain. The original vulnerability was the issue that Windows DNS server accepts records from unauthoritative sources. This was partially fixed with some registry setting (insanely off by default), but it turned out if Windows was using an upstream resolver (i.e. not going directly to the roots), then it was still vulnerable. This is the vulnerability which is specific to Windows DNS (though Symantec's also had it, I think). For instance, if a Windows DNS cache asks for example.org, and receives records for example.org and org (TLD), then it will blindly believe it, under certain conditions. BIND does not do this, AFAIK, and neither does any correctly implemented DNS cache. The attack described just now, is that this vulnerability combined with the traditional "birthday" attack scenario allows another form of attack. The birthday attacks in general are still possible on any DNS server which doesn't randomize source ports, but may be more difficult to conduct than this new attack. (I'm not sure, I haven't run the numbers.) Hope this clears it up. If you're interested in running a more secure DNS cache, try djbdns' dnscache. tim PS- Please correct me if I messed up any of the details on the Windows DNS vulnerability. This is all straight from memory... didn't double-check my sources.
RE: Windows DNS Cache Poisoning by Forwarder DNS Spoofing
How does BIND stop this sort of attack? Can a BIND expert respond? Roger * *Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada... *email: [EMAIL PROTECTED] or [EMAIL PROTECTED] *Author of Professional Windows Desktop and Server Hardening (Wrox) *http://www.amazon.com/gp/product/0764599909 * -Original Message- From: Makoto Shiotsuki [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 17, 2007 12:31 PM To: Roger A. Grimes Cc: bugtraq@securityfocus.com Subject: Re: Windows DNS Cache Poisoning by Forwarder DNS Spoofing >One question. Is BIND any better at preventing this type of attack? As far as I know, this vulnerability is specific to the Windows DNS. Makoto Shiotsuki
RE: Windows DNS Cache Poisoning by Forwarder DNS Spoofing
One question. Is BIND any better at preventing this type of attack? Roger * *Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada... *email: [EMAIL PROTECTED] or [EMAIL PROTECTED] *Author of Professional Windows Desktop and Server Hardening (Wrox) *http://www.amazon.com/gp/product/0764599909 * -Original Message- From: Makoto Shiotsuki [mailto:[EMAIL PROTECTED] Sent: Monday, April 16, 2007 2:04 AM To: bugtraq@securityfocus.com Subject: Windows DNS Cache Poisoning by Forwarder DNS Spoofing Windows DNS Cache Poisoning by Forwarder DNS Spoofing 2007.4.16 Makoto Shiotsuki <[EMAIL PROTECTED]> Introduction About two years ago, SANS Handler's Diary reported that Windows DNS server is vulnerable to the cache poisoning attack despite "Secure cache against pollution" setting if it is configured to forward requests to the forwarder DNS server [1][2]. According to the Handler's Diary, this poisoning attack against Windows DNS would be successful in the case when the forwarder DNS server itself is vulnerable to the poisoning attack or the forwarder DNS server does not filter out the bogus records in the poisoning attack. So, it is believed that using Bind9 as forwarder is safe to protect Windows DNS server from cache poisoning attack through forwarder. But there seems to be other possible scenario, and in this case, the possibility of successful attack does not depend on the type or version of the forwarder DNS server. Therefore, the risk of the Windows DNS cache poisoning attack is higher than generally perceived. As far as I tried, DNS service of the Windows Server 2003 SP2 still has this vulnerability. Details === As described above, Windows DNS is vulnerable to the cache poisoning attack through the forwarder DNS server. This seems because Windows DNS blindly trusts replies from forwarder DNS and caches every resource records regardless of their domain. Windows DNS also has characteristic that it is vulnerable to the DNS spoofing attack using "birthday attack" [3]. By sending multiple simultaneous queries and forged replies to the Windows DNS server, attacker can inject a spoofed reply relatively easily if its arrival is earlier than the reply from the legitimate DNS server. Both of these are known vulnerabilities (or characteristics? ;) on Windows DNS, and each of them individually is not high risk because they require some preconditions to be successfully exploited. However, by executing the cache poisoning attack in conjunction with DNS spoofing, it will be more effective attack and the risk will be higher than before. Following is the scenario. +---+ (1)Query +---+ | | -> | | | | -> | | | Attacker | -> | Windows | | | |DNS| | | -> | | | | -> | (Victim) |(6)Poisoned!! | | -> | | +---+ (5)Answer(poisoning) +---+ ||| ||| (2)Query ||| vvv +---+ (3)Query +---+ | | <- | | | | <- | | | Attacker | <- | Forwarder | |DNS| |DNS| | | | | | | (4) no reply| | | | | | +---+ +---+ 1) Attacker sends multiple simultaneous recursive queries (e.g. 500 queries) to the Windows DNS server, resolving the name in attacker's domain. 2) Windows DNS forwards those queries to the Forwarder DNS server. 3) Forwarder DNS sends queries to the Attacker DNS server to resolve the name. 4) Attacker DNS does not reply at all and Forwarder DNS waits for timeout. 5) Attacker sends multiple simultaneous replies (e.g. 500 replies) spoofing Forwarder DNS ip address with random query id. Each reply includes forged resource records to poison the Windows DNS cache. 6) Windows DNS accepts certain spoofed reply if its query id matches one of the queries from the Windows DNS and finally Windows DNS