Re: [ga] Notice: Another DNS security hole recognized

["Jeffrey A. Williams" <jwkckid1@xxxxxxxxxxxxx>]

Dr. Joe and all,

  Thanks for your input and opinion.  Most of it I fully agree with.
Indeed true that this problem isn't DNS itself, but how NAT is
using randomizing port use.

  I also to a degree that DNSSEC can be a problem and if not
fully implimented properly, can, and likely will be a significant
maintanance as well as administration problem.  But that is not
a DNSSEC problem unto itself.  I've done several DNSSEC
implimentations that have low or no maint problems.

Joe Baptista wrote:

> Just to make things clear.
>
> 1) The DNS is not the issue here.  The issue is servers / firewall /
> NAT devices where the ports are not properly randomized for UDP.  And
> the problems can be fixed.
>
> 2) This is not a new vulnerability.  Its one vulnerability with many
> potential attack scenarios.  I've considered that even authoritative
> servers can be exploited if one understands the attack vectors to
> deploy.
>
> If people want to fix this the only real solution is to install a
> server that works - Bersteins DNS server is the only one I would
> guarantee to clients works well for recursive and authoritative DNS.
> Separate servers - separate level of DNS services.
>
> People who use recursive name servers for authoritative traffic are
> begging trouble to pay them a visit.  i.e. you get your servers high
> jacked.   And you won't even know it.
>
> What pisses me off about Vixie is the shitty way he is using a very
> scary vulnerability - i.e. potentially 70% (or more) of the internet
> can be high jacked - to peddle his shabby wares - i.e. DNSSEC.
>
> DNSSEC is nothing more then the Verisign/USG/IANA/ICANN disaster
> attempting a takeover of the root zone, or at least maintaining the
> status quo.   Let us not forget that the Chinese now have a
> significant market share, then there was Turkey who I got online via
> the HEX, and the Arabs have been running their own roots for years,
> etc etc.  So having lost over 30% market share in root service is not
> a success.
>
> DNSSEC is nothing more then a trap that will delay is for a few
> months.  It is also a significant inconvenience and will require an IT
> infrastructure devoted to its administration and maintenance.  i.e.
> big expenses to all when the problem is and always has been the
> software - i.e. BIND and all its variants.
>
> Fix the software - fix the problem today.  Install DNSSEC - ensure a
> make work project for DNS experts - and increase IT expenses
> significantly.
>
> anyway - thats my two cents.
>
> regards
> joe baptista
>
>
> On Wed, Jul 30, 2008 at 10:35 PM, Jeffrey A.
> Williams <jwkckid1@xxxxxxxxxxxxx> wrote:
>
>
>      All,
>
>       As if one was not enough, eh!  Well like I have been
>      harping
>      on, here is another that has finally been recognized that
>      has
>      been around for awhile as well...
>
>       Seems that the ISC hasn't fixed or reported this one
>      either... >:(
>
>       Here also is a new tool for users or admins. to check with:
>
>      https://www.dns-oarc.net/oarc/services/dnsentropy
>
>
>      08.31.22 CVE: CVE-2008-1447
>      Platform: Cross Platform
>      Title: Multiple Vendor DNS Protocol Insufficient Transaction
>      ID
>      Randomization DNS Spoofing
>      Description: Multiple vendors' implementations of the DNS
>      protocol are
>      exposed to a DNS-spoofing issue because the software fails
>      to securely
>      implement random values when performing DNS queries.
>      Microsoft Windows
>      DNS Clients and Servers, ISC BIND 8 and 9, and multiple
>      Cisco IOS
>      releases are affected.
>      Ref: http://www.securityfocus.com/archive/1/494716
>
>
>      Regards,
>
>      Spokesman for INEGroup LLA. - (Over 281k
>      members/stakeholders strong!)
>      "Obedience of the law is the greatest freedom" -
>        Abraham Lincoln
>
>      "Credit should go with the performance of duty and not with
>      what is
>      very often the accident of glory" - Theodore Roosevelt
>
>      "If the probability be called P; the injury, L; and the
>      burden, B;
>      liability depends upon whether B is less than L multiplied
>      by
>      P: i.e., whether B is less than PL."
>      United States v. Carroll Towing  (159 F.2d 169 [2d Cir.
>      1947]
>      =====
>      =========================================================
>      Updated 1/26/04
>      CSO/DIR. Internet Network Eng. SR. Eng. Network data
>      security IDNS.
>      div. of Information Network Eng.  INEG. INC.
>      ABA member in good standing member ID 01257402 E-Mail
>      jwkckid1@xxxxxxxxxxxxx
>      My Phone: 214-244-4827
>
>
>
>
>
> --
> Joe Baptista
> www.publicroot.org
> PublicRoot Consortium
> ----------------------------------------------------------------
> The future of the Internet is Open, Transparent, Inclusive,
> Representative & Accountable to the Internet community @large.
> ----------------------------------------------------------------
> Office: +1 (360) 526-6077 (extension 052)
> Fax: +1 (509) 479-0084
>
>
Regards,

Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@xxxxxxxxxxxxx
My Phone: 214-244-4827