DNS vulnerability details now publicly available

July 22nd, 2008 by Chris Buechler

If you run your own DNS server and haven’t patched yet – now would be the time to do so. The details of the previously mentioned vulnerability were inadvertently made publicly available earlier today.

Our previous assertion that dnsmasq in pfSense is not vulnerable was correct. We will be putting out a version with the updated dnsmasq, however this is just to protect from the possibility of a different attack in the future. With this particular issue there is no immediate need to update caching-only DNS servers including pfSense.

So what needs to be patched?
The server that issues recursive queries to your DNS requests. What server this is varies depending on your configuration. I’ll group into two categories.

pfSense DNS Forwarder Users
For those who use the DNS forwarder on pfSense for all internal DNS, the servers that need to be patched are your ISP’s. For dynamic IP connections, in a default configuration the servers assigned by your ISP will be used for recursive lookups. You can override this by entering servers on the System -> General Setup page and unchecking the “Allow DNS server list to be overridden by DHCP/PPP on WAN” box.

Users of Internal DNS Servers
You will need to make sure your internal DNS server is patched.

How can I tell if I’m vulnerable?
Visit DoxPara and click the “Check my DNS” button.

Fixing the Issue Without Relying on your ISP
You can easily fix this without relying on your ISP applying patches by using OpenDNS, a free DNS service that was never vulnerable to this issue in the first place. To use OpenDNS, just enter 208.67.222.222 and 208.67.220.220 for your DNS servers in the General Setup page, and uncheck the “Allow DNS server list to be overridden by DHCP/PPP on WAN” box. Click Save on that page, and re-test. You will see you are no longer vulnerable.

pfSense Will Not Make Your Patched Servers Vulnerable
Unlike numerous other firewall and NAT products including some big name commercial vendors, pfSense will not un-randomize the source ports on NATed traffic leaving you vulnerable. If you are using NAT on anything other than pfSense, make sure that device isn’t defeating the purpose of the DNS server patches by improperly rewriting.  The DoxPara test will determine that.

4 Responses to “DNS vulnerability details now publicly available”

  1. Beat Says:

    I feel a bit involvet at least for the last paragraph. Seems like a abstract from recently discussed thread “[pfSense Support] DNS cache poisoning (solved)”

  2. Chris Buechler Says:

    Beat: Well it would be there with or without you. :) But yes, your situation did indeed further bring to light the need to be careful what is providing NAT in your environment. pf’s NAT is excellent from a security perspective – many, many other commercial and open source options are terrible about this and will leave you vulnerable to this particular attack as well as other possible issues in the future.

  3. Chris Buechler Says:

    Exploits are now widely available for this.
    http://blogs.zdnet.com/security/?p=1545

  4. Chris Buechler Says:

    Another explanation if anyone is interested
    http://www.avertlabs.com/research/blog/index.php/2008/07/23/the-cat-is-out-of-the-bag-dns-bug/

Please don’t post technical questions or off-topic comments. It is far more likely that your questions and concerns will be addressed effectively through one of our support channels.

Leave a Reply