<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: [ga] Notice: Another DNS security hole recognized
- To: Ga <ga@xxxxxxxxxxxxxx>
- Subject: Re: [ga] Notice: Another DNS security hole recognized
- From: "Jeffrey A. Williams" <jwkckid1@xxxxxxxxxxxxx>
- Date: Wed, 30 Jul 2008 23:18:49 -0700
Dr. Joe and all,
Thanks for your input and opinion. Most of it I fully agree with.
Indeed true that this problem isn't DNS itself, but how NAT is
using randomizing port use.
I also to a degree that DNSSEC can be a problem and if not
fully implimented properly, can, and likely will be a significant
maintanance as well as administration problem. But that is not
a DNSSEC problem unto itself. I've done several DNSSEC
implimentations that have low or no maint problems.
Joe Baptista wrote:
> Just to make things clear.
>
> 1) The DNS is not the issue here. The issue is servers / firewall /
> NAT devices where the ports are not properly randomized for UDP. And
> the problems can be fixed.
>
> 2) This is not a new vulnerability. Its one vulnerability with many
> potential attack scenarios. I've considered that even authoritative
> servers can be exploited if one understands the attack vectors to
> deploy.
>
> If people want to fix this the only real solution is to install a
> server that works - Bersteins DNS server is the only one I would
> guarantee to clients works well for recursive and authoritative DNS.
> Separate servers - separate level of DNS services.
>
> People who use recursive name servers for authoritative traffic are
> begging trouble to pay them a visit. i.e. you get your servers high
> jacked. And you won't even know it.
>
> What pisses me off about Vixie is the shitty way he is using a very
> scary vulnerability - i.e. potentially 70% (or more) of the internet
> can be high jacked - to peddle his shabby wares - i.e. DNSSEC.
>
> DNSSEC is nothing more then the Verisign/USG/IANA/ICANN disaster
> attempting a takeover of the root zone, or at least maintaining the
> status quo. Let us not forget that the Chinese now have a
> significant market share, then there was Turkey who I got online via
> the HEX, and the Arabs have been running their own roots for years,
> etc etc. So having lost over 30% market share in root service is not
> a success.
>
> DNSSEC is nothing more then a trap that will delay is for a few
> months. It is also a significant inconvenience and will require an IT
> infrastructure devoted to its administration and maintenance. i.e.
> big expenses to all when the problem is and always has been the
> software - i.e. BIND and all its variants.
>
> Fix the software - fix the problem today. Install DNSSEC - ensure a
> make work project for DNS experts - and increase IT expenses
> significantly.
>
> anyway - thats my two cents.
>
> regards
> joe baptista
>
>
> On Wed, Jul 30, 2008 at 10:35 PM, Jeffrey A.
> Williams <jwkckid1@xxxxxxxxxxxxx> wrote:
>
>
> All,
>
> As if one was not enough, eh! Well like I have been
> harping
> on, here is another that has finally been recognized that
> has
> been around for awhile as well...
>
> Seems that the ISC hasn't fixed or reported this one
> either... >:(
>
> Here also is a new tool for users or admins. to check with:
>
> https://www.dns-oarc.net/oarc/services/dnsentropy
>
>
> 08.31.22 CVE: CVE-2008-1447
> Platform: Cross Platform
> Title: Multiple Vendor DNS Protocol Insufficient Transaction
> ID
> Randomization DNS Spoofing
> Description: Multiple vendors' implementations of the DNS
> protocol are
> exposed to a DNS-spoofing issue because the software fails
> to securely
> implement random values when performing DNS queries.
> Microsoft Windows
> DNS Clients and Servers, ISC BIND 8 and 9, and multiple
> Cisco IOS
> releases are affected.
> Ref: http://www.securityfocus.com/archive/1/494716
>
>
> Regards,
>
> Spokesman for INEGroup LLA. - (Over 281k
> members/stakeholders strong!)
> "Obedience of the law is the greatest freedom" -
> Abraham Lincoln
>
> "Credit should go with the performance of duty and not with
> what is
> very often the accident of glory" - Theodore Roosevelt
>
> "If the probability be called P; the injury, L; and the
> burden, B;
> liability depends upon whether B is less than L multiplied
> by
> P: i.e., whether B is less than PL."
> United States v. Carroll Towing (159 F.2d 169 [2d Cir.
> 1947]
> =====
> =========================================================
> Updated 1/26/04
> CSO/DIR. Internet Network Eng. SR. Eng. Network data
> security IDNS.
> div. of Information Network Eng. INEG. INC.
> ABA member in good standing member ID 01257402 E-Mail
> jwkckid1@xxxxxxxxxxxxx
> My Phone: 214-244-4827
>
>
>
>
>
> --
> Joe Baptista
> www.publicroot.org
> PublicRoot Consortium
> ----------------------------------------------------------------
> The future of the Internet is Open, Transparent, Inclusive,
> Representative & Accountable to the Internet community @large.
> ----------------------------------------------------------------
> Office: +1 (360) 526-6077 (extension 052)
> Fax: +1 (509) 479-0084
>
>
Regards,
Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
Abraham Lincoln
"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt
"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng. INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@xxxxxxxxxxxxx
My Phone: 214-244-4827
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|