Dr. Joe and all, Thanks for your input and opinion. Most of it I fully agree with. Indeed true that this problem isn't DNS itself, but how NAT is using randomizing port use. I also to a degree that DNSSEC can be a problem and if not fully implimented properly, can, and likely will be a significant maintanance as well as administration problem. But that is not a DNSSEC problem unto itself. I've done several DNSSEC implimentations that have low or no maint problems. Joe Baptista wrote:
Just to make things clear.
1) The DNS is not the issue here. The issue is servers / firewall / NAT devices where the ports are not properly randomized for UDP. And the problems can be fixed.
2) This is not a new vulnerability. Its one vulnerability with many potential attack scenarios. I've considered that even authoritative servers can be exploited if one understands the attack vectors to deploy.
If people want to fix this the only real solution is to install a server that works - Bersteins DNS server is the only one I would guarantee to clients works well for recursive and authoritative DNS. Separate servers - separate level of DNS services.
People who use recursive name servers for authoritative traffic are begging trouble to pay them a visit. i.e. you get your servers high jacked. And you won't even know it.
What pisses me off about Vixie is the shitty way he is using a very scary vulnerability - i.e. potentially 70% (or more) of the internet can be high jacked - to peddle his shabby wares - i.e. DNSSEC.
DNSSEC is nothing more then the Verisign/USG/IANA/ICANN disaster attempting a takeover of the root zone, or at least maintaining the status quo. Let us not forget that the Chinese now have a significant market share, then there was Turkey who I got online via the HEX, and the Arabs have been running their own roots for years, etc etc. So having lost over 30% market share in root service is not a success.
DNSSEC is nothing more then a trap that will delay is for a few months. It is also a significant inconvenience and will require an IT infrastructure devoted to its administration and maintenance. i.e. big expenses to all when the problem is and always has been the software - i.e. BIND and all its variants.
Fix the software - fix the problem today. Install DNSSEC - ensure a make work project for DNS experts - and increase IT expenses significantly.
anyway - thats my two cents.
regards joe baptista
On Wed, Jul 30, 2008 at 10:35 PM, Jeffrey A. Williams <jwkckid1@ix.netcom.com> wrote:
All,
As if one was not enough, eh! Well like I have been harping on, here is another that has finally been recognized that has been around for awhile as well...
Seems that the ISC hasn't fixed or reported this one either... >:(
Here also is a new tool for users or admins. to check with:
https://www.dns-oarc.net/oarc/services/dnsentropy
08.31.22 CVE: CVE-2008-1447 Platform: Cross Platform Title: Multiple Vendor DNS Protocol Insufficient Transaction ID Randomization DNS Spoofing Description: Multiple vendors' implementations of the DNS protocol are exposed to a DNS-spoofing issue because the software fails to securely implement random values when performing DNS queries. Microsoft Windows DNS Clients and Servers, ISC BIND 8 and 9, and multiple Cisco IOS releases are affected. Ref: http://www.securityfocus.com/archive/1/494716
Regards,
Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln
"Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt
"If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] ===== ========================================================= Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com My Phone: 214-244-4827
-- Joe Baptista www.publicroot.org PublicRoot Consortium ---------------------------------------------------------------- The future of the Internet is Open, Transparent, Inclusive, Representative & Accountable to the Internet community @large. ---------------------------------------------------------------- Office: +1 (360) 526-6077 (extension 052) Fax: +1 (509) 479-0084
Regards, Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com My Phone: 214-244-4827