Wednesday, July 23, 2008

"Dig" Your Resolver Source Port Behavior

Recently, CERT VU#800113 announces a new DNS vulnerability which affects almost all DNS vendors (one exception is DJBdns). The root cause is the resolvers should use random source source ports when sending queries. At OARC, a special crafted DNS name and server that you can query to learn whether or not your own resolver is using random ports.

$ dig @ns1.example.net +short porttest.dns-oarc.net TXT
You should get back an answer that looks like this:

z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"169.254.0.1 is FAIR: 26 queries in 0.1 seconds from 25 ports with std dev 3843.00"
Your resolver's randomness will be rated either GOOD, FAIR, or POOR, based on the standard deviation of observed source ports. In order to receive a GOOD rating, the standard deviation must be at least 10,000. For FAIR it must be at least 3,000. Anything less is POOR. The best standard deviation you can expect to see from 26 queries is in the 18,000-20,000 range.

DNS records used in this test are given 60 second TTLs. To repeat the test you should wait at least 60 seconds.

>>> https://www.dns-oarc.net/oarc/services/porttest

Quick take away:
  • Patch your DNS ASAP.
  • Disable recursion on DNS helps reducing the risk on being attacked.
  • Using SSL (e.g. HTTPS) helps in reducing the risk on being cache poisoning.
Notes:
  • It only takes 5~10 seconds to poison the cache.
  • A recursive servers behind a NAT gateway: a good caching nameserver hidden behind a firewall that's undoing the port randomisation leaves your server vulnerable.
  • Nameservers that are authoritative only are not vulnerable.
  • Setting high TTL for your authoritative zone won't help vulnerable resolvers from being poisoned.
  • DNS client (running at most workstations/servers that resolve to upstream nameservers) need to be patched too.
  • Exploit and patch are available for download now.
References: