 www.centos.org Forum Index CentOS 5 - General Support  BIND Configuration Gotcha
|
 Bottom  Previous Topic  Next Topic |
|
|
|
|
|---|
Topic options
Threaded
Newest First| Poster | Thread | Rated: 1 Votes |
|---|
|
BIND Configuration Gotcha | #1 |
|
|---|---|---|---|
|
Regular Board Member
 
Joined: 2006/2/16
From Worcester, UK
Posts: 124
|
Folks,
This is a follow-on from Tuesday's global DNS security update. The standard BIND configuration files distributed by RedHat (and CentOS, etc) have fixed source ports specified in named.conf (and named.caching-nameserver.conf). Any lines like query-source port 53; query-source-v6 port 53; need to be commented out or deleted so that forwarded DNS queries come from random ports. Something to watch out for if you install bind or caching-nameserver on any Linux box. You also need to make sure you have the updated selinux polices installed if you run selinux. Firewall rules for DNS would need adjusting if you'd locked the source port to port 53, too. Cheers, Phil |
||
Posted on: 2008/7/10 14:47
  |
 |
||
PRandal
|
Re: BIND Configuration Gotcha | #2 |
|
|---|---|---|---|
|
Moderator
Joined: 2006/9/3
From California, US
Posts: 5182
|
Thanks for posting this note. I'm sure this will help others running DNS.
|
||
Posted on: 2008/7/10 15:19
|
|
||
|
Re: BIND Configuration Gotcha | #3 |
|
|---|---|---|---|
|
Regular Board Member
Joined: 2006/2/16
From Worcester, UK
Posts: 124
|
According to
http://securosis.com/2008/07/09/more-on-the-dns-vulnerability/ this vulnerability is very serious. Without having to wait for Dan Kaminsky's Black Hat presentation it's impossible to tell how secure (or not) a patched BIND using a fixed port for forwarding is. His comments on the net suggest "not very". And as the default caching-nameserver config in RedHat / CentOS is to use a fixed source port, merely patching is NOT enough. Configs need changing too. |
||
Posted on: 2008/7/10 21:20
|
|
||
|
Re: BIND Configuration Gotcha | #4 |
|
|---|---|---|---|
|
Regular Board Member
Joined: 2006/2/16
From Worcester, UK
Posts: 124
|
Upstream have fixed the 5.x packages:
http://rhn.redhat.com/errata/RHSA-2008-0533.html "[Updated 10th July 2008] We have updated the Enterprise Linux 5 packages in this advisory. The default and sample caching-nameserver configuration files have been updated so that they do not specify a fixed query-source port. Administrators wishing to take advantage of randomized UDP source ports should check their configuration file to ensure they have not specified fixed query-source ports." |
||
Posted on: 2008/7/10 22:14
|
|
||
|
Re: BIND Configuration Gotcha | #5 |
|
|---|---|---|---|
|
Moderator
Joined: 2005/10/28
From UK
Posts: 2869
|
Thanks PRandal.
I guess the issue here really is that the updated packages won't replace existing config files, but will rather be created as .rpmnew so system admins will need to merge the new changes (comment out or remove static query-source port references) to effect port randomization. |
||
|
_________________
CentOS - The Sysadmins Choice ELRepo.org - The Community Enterprise Linux Repository |
|||
Posted on: 2008/7/10 22:56
|
|
||
|
Re: BIND Configuration Gotcha | #6 |
|
|---|---|---|---|
|
Regular Board Member
Joined: 2006/2/16
From Worcester, UK
Posts: 124
|
That's correct, but at least fresh installs of the updated packages will do the right thing.
And people will now be aware that manual intervention is necessary. |
||
Posted on: 2008/7/10 23:01
|
|
||
|
Re: BIND Configuration Gotcha | #7 |
|
|---|---|---|---|
|
Moderator
Joined: 2005/10/28
From UK
Posts: 2869
|
Thanks for flagging this up
 |
||
|
_________________
CentOS - The Sysadmins Choice ELRepo.org - The Community Enterprise Linux Repository |
|||
Posted on: 2008/7/10 23:16
|
|
||
|
Re: BIND Configuration Gotcha | #8 |
|
|---|---|---|---|
|
Moderator
Joined: 2005/10/28
From UK
Posts: 2869
|
I'm going to sticky this thread at the top of the forum for a while.
|
||
|
_________________
CentOS - The Sysadmins Choice ELRepo.org - The Community Enterprise Linux Repository |
|||
Posted on: 2008/7/11 7:36
|
|
||
|
Re: BIND Configuration Gotcha | #9 |
|
|---|---|---|---|
|
Moderator
Joined: 2005/10/28
From UK
Posts: 2869
|
Well, the cat is out of the bag on the DNS flaw:
http://addxorrol.blogspot.com/2008/07/on-dans-request-for-no-speculation.html and unfortunately not all vendors have patched against it yet, including many ISPs. Even if you don't run your own DNS or name-caching server, now is the time to test and take action if necessary. If you run a DNS or name-caching server: You should update it now and comment out the lines as indicated previously in this thread. Then restart the named service. Everyone should do the following: Test your DNS servers - this includes home users using their ISPs DNS servers. There is a test applet on Dan Kaminsky's site here (for example, my ISPs DNS servers are still showing as vulnerable): http://www.doxpara.com/ If it returns that your DNS servers are vulnerable then you should repoint to use OpenDNS's servers that are known to be safe. You can use OpenDNS's servers by entering their IP addresses for their servers in your /etc/resolv.conf file like so: http://www.opendns.com/ Additionally, if you use a dhcp/router to automatically assign network settings to clients, don't forget to also alter the DNS server settings in that too for the IP addresses of OpenDNS's servers. |
||
|
_________________
CentOS - The Sysadmins Choice ELRepo.org - The Community Enterprise Linux Repository |
|||
Posted on: 2008/7/22 20:36
|
|
||
|
Re: BIND Configuration Gotcha | #10 |
|
|---|---|---|---|
|
Regular Board Member
Joined: 2006/2/16
From Worcester, UK
Posts: 124
|
Folks,
This is now an urgent "patch yesterday" situation. Exploit code has been released. http://blogs.zdnet.com/security/?p=1546 Cheers, Phil |
||
Posted on: 2008/7/24 7:36
|
|
||
|
Re: BIND Configuration Gotcha | #11 |
|
|---|---|---|---|
|
Professional Board Member
Joined: 2006/4/20
From Montreal/QC
Posts: 1759
|
It seems serious, but how are we all affected?
Cache poisoning occurs if server is accepting requests from untrusted users. (At least this is my understanding) So to be vulnerable you should have untrusted users in your network or point to vulnerable servers. Also as mentioned before even the patch from REDHAT requires manual change in the settings to allow source port randomization. So what exactly is the patch?! Should we just change the configuration? Another problem arises if DNS server is behind stateless firewall allowing only port 53 connections to the server in that case source port randomization cannot be used. Am I wrong? Maybe someone more knowledgeable will put some light. |
||
|
_________________
Hope this helps, ----------------------------------- FoxB -- http://hbcom.info --------- http://blog.hbcom.info ----------------------------------- |
|||
Posted on: 2008/7/27 15:00
|
|
||
|
Re: BIND Configuration Gotcha | #12 |
|
|---|---|---|---|
|
Professional Board Member
Joined: 2005/12/19
From /earth/usa/nj (UTC-5)
Posts: 1313
|
There is a “plain language” description of the problem issued by the United States Computer Emergency Readiness Team (US-CERT) located here:
Vulnerability Note VU#800113 Quote: ...Caching DNS resolvers are primarily at risk--both those that are open (a DNS resolver is open if it provides recursive name resolution for clients outside of its administrative domain), and those that are not... The Description Section is a must-read for anyone running an unpatched bind nameserver or still restricting outbound queries to port 53, which was previously the default configuration. Please note that this problem does NOT involve accepting inbound queries over port 53, which are no more or less safe than before. Think of all of those unpatched RHL9-based nameservers running out there. US-CERT is the operational arm of the National Cyber Security Division (NCSD) at the US Department of Homeland Security (DHS). |
||
Posted on: 2008/7/27 18:40
|
|
||
|
Re: BIND Configuration Gotcha | #13 |
|
|---|---|---|---|
|
Moderator
Joined: 2005/10/28
From UK
Posts: 2869
|
Quote:
No, it's easy to get your users to generate requests - just send them an html email with lots of embedded images linked to fake sub-domains. Quote:
No, you must patch AND alter the config to ensure the source port for outgoing queries isn't limited to port 53, but is randomized. The original version of named didn't support port randomization (hence the patch) and the patched version will still use your original (old) config file that has the source port locked to port 53 hence the need to edit your config file too. Quote:
We're talking randomization of the SOURCE port for OUTGOING (recursive) requests, not the destination port for incoming requests |
||
|
_________________
CentOS - The Sysadmins Choice ELRepo.org - The Community Enterprise Linux Repository |
|||
Posted on: 2008/7/27 18:52
|
|
||
|
Re: BIND Configuration Gotcha | #14 |
|
|---|---|---|---|
|
Professional Board Member
Joined: 2006/4/20
From Montreal/QC
Posts: 1759
|
Quote:
Continuing to read the same paper Quote:
NetSlider@ Requests coming from e-mail should also contain the poisoning... and if this is a case you have more to worry than only DNS. .... Or maybe I misunderstand the way the whole vulnerability works. I won't argue with you guys .... just wanted to know more.  |
||
|
_________________
Hope this helps, ----------------------------------- FoxB -- http://hbcom.info --------- http://blog.hbcom.info ----------------------------------- |
|||
Posted on: 2008/7/27 23:43
|
|
||
|
Re: BIND Configuration Gotcha | #15 |
|
|---|---|---|---|
|
Moderator
Joined: 2005/10/28
From UK
Posts: 2869
|
Quote:
That's cool - I'm still improving my own understanding. The way I understand it, it is harder to attack a DNS server with restricted access because unless I have access to query a server I can't know when a query is performed so that makes it harder for me to fake a response (or rather know when to fake a response) in order to beat the legitimate response. I suspect initial attacks will be successful against open servers or on networks where a host has been compromised. Then the attacker can instigate a query and flood faked responses in the hope of guessing the random TXID before the legitimate response arrives. It's a numbers game - you have a 1 in 65,536 chance of getting it right but you can probably get a couple thousand responses back over a fast connection before you lose reducing the odds to around 1 in 50. Play long enough and sooner or later you will win one (some estimates say as little as 10 seconds). Adding source port randomization increases the odds to 1 in ~4.2 billion greatly reducing the risk although not eliminating it completely. |
||
|
_________________
CentOS - The Sysadmins Choice ELRepo.org - The Community Enterprise Linux Repository |
|||
Posted on: 2008/7/28 0:47
|
|
||
|
Re: BIND Configuration Gotcha | #16 |
|
|---|---|---|---|
|
Professional Board Member
Joined: 2005/12/19
From /earth/usa/nj (UTC-5)
Posts: 1313
|
One indication of the seriousness of this problem is that it was featured on the front page of the New York Times today:
With Security at Risk, a Push to Patch the Web Quote: ...roughly 41 percent of the Internet is still vulnerable... |
||
Posted on: 2008/7/30 17:06
|
|
||
|
Re: BIND Configuration Gotcha | #17 |
|
|---|---|---|---|
|
Professional Board Member
Joined: 2005/12/19
From /earth/usa/nj (UTC-5)
Posts: 1313
|
...and today, I see that CNN has picked it up:
Hackers create fake sites through Internet flaw Quote: ...More details about the vulnerability are expected to emerge Wednesday, when Kaminsky speaks at the Black Hat computer security conference in Las Vegas... |
||
Posted on: 2008/8/6 17:33
|
|
||
 Top Previous Topic Next Topic |
 |
|
You cannot start a new topic.
You can view topic.