DNS vulnerability details now publicly available
If you run your own DNS server and haven’t patched yet – now would be the time to do so. The details of the previously mentioned vulnerability were inadvertently made publicly available earlier today.
Our previous assertion that dnsmasq in pfSense is not vulnerable was correct. We will be putting out a version with the updated dnsmasq, however this is just to protect from the possibility of a different attack in the future. With this particular issue there is no immediate need to update caching-only DNS servers including pfSense.
So what needs to be patched?
The server that issues recursive queries to your DNS requests. What server this is varies depending on your configuration. I’ll group into two categories.
pfSense DNS Forwarder Users
For those who use the DNS forwarder on pfSense for all internal DNS, the servers that need to be patched are your ISP’s. For dynamic IP connections, in a default configuration the servers assigned by your ISP will be used for recursive lookups. You can override this by entering servers on the System -> General Setup page and unchecking the “Allow DNS server list to be overridden by DHCP/PPP on WAN” box.
Users of Internal DNS Servers
You will need to make sure your internal DNS server is patched.
How can I tell if I’m vulnerable?
Visit DoxPara and click the “Check my DNS” button.
Fixing the Issue Without Relying on your ISP
You can easily fix this without relying on your ISP applying patches by using OpenDNS, a free DNS service that was never vulnerable to this issue in the first place. To use OpenDNS, just enter 22.214.171.124 and 126.96.36.199 for your DNS servers in the General Setup page, and uncheck the “Allow DNS server list to be overridden by DHCP/PPP on WAN” box. Click Save on that page, and re-test. You will see you are no longer vulnerable.
pfSense Will Not Make Your Patched Servers Vulnerable
Unlike numerous other firewall and NAT products including some big name commercial vendors, pfSense will not un-randomize the source ports on NATed traffic leaving you vulnerable. If you are using NAT on anything other than pfSense, make sure that device isn’t defeating the purpose of the DNS server patches by improperly rewriting. The DoxPara test will determine that.