Skip navigation

Tag Archives: Domain Name System

In a recently aired episode of Security Now, episode # 163 GoogleUpdate & DNS Security. He talks about, in great detail about a type on DNS in some parts of the world ow being offered now. The DNS is more secure and every site is signed with keys. Only problem is that low performance and uses up to much bandwidth. Also this way is easyer to do an DDOS (Denial-of-service attack) This attack suts down a server or in this case a DNS.

“A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted, malevolent efforts of a person or persons to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even DNS root servers.”

http://en.wikipedia.org/wiki/Ddos

another quote from wikipedia for someone who wants mor detail on DNSSEC is ”

The Domain Name System Security Extensions (DNSSEC) are a suite of IETF specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers):

  • Origin authentication of DNS data
  • Data integrity
  • Authenticated denial of existence

It is widely believed that deploying DNSSEC is critically important for securing the Internet as a whole, but deployment has been hampered by the difficulty of:

  1. Devising a backward-compatible standard that can scale to the size of the Internet
  2. Preventing “zone enumeration” (see below) where desired
  3. Deploying DNSSEC implementations across a wide variety of DNS servers and resolvers (clients)
  4. Disagreement among key players over who should own the .com (etc) root keys
  5. Overcoming the perceived complexity of DNSSEC and DNSSEC deployment”

http://en.wikipedia.org/wiki/DNSSEC

Steve talked about that the main domains have to all agree on this and implement it for it to work so they can be a party to sign a key, to confirm that site you are on is the site you want to be on not a fake site that has changed the url or infected you PC or even the DNS. So if all the party’s agree it will be confirmed that the site you are on is the one you want.

For more info on DNS if you don’t even know what a DNS is go to:

http://en.wikipedia.org/wiki/Domain_name_system

or read a small part of the site that might solve your answer.

“The Domain Name System (DNS) is a hierarchical naming system for computers, services, or any resource participating in the Internet. It associates various information with domain names assigned to such participants. Most importantly, it translates humanly meaningful domain names to the numerical (binary) identifiers associated with networking equipment for the purpose of locating and addressing these devices world-wide.

An often used analogy to explain the Domain Name System is that it serves as the “phone book” for the Internet by translating human-friendly computer hostnames into IP addresses. For example, www.example.com translates to 208.77.188.166.”

Like I said the fallowing in “quotes” is from the site http://en.wikipedia.org/wiki/Domain_name_system.

For more info on DNSSEC go to the links I provided or go to: http://www.dnssec.net/.

Be safe, and secure on the web, with out it we wont have “E-bay” (http://www.ebay.com/)or “Amazon” (http://www.amazon.com/) LOL :).

Advertisements

DNS patching during the critical time from July 7th, 2008 to August 3rd, 2008:

http://www.youtube.com/watch?v=Ff5WBDOwueI

Dan Kaminsky on the DNS Bug of 2008

http://www.youtube.com/watch?v=B0dHDD9fFM4&NR=1

DNS ATTACK!!!!!!! Hackers move first, in this war game of chess, We failed to hear the warning of Dan Kaminsky, but OpenDNS and BIND and don’t forget the smart ISP’s that took the FREE patch won the battle well stood up atleast and the customers of the ISP’s never knew what happned…Triumphed.

Exploit required to send more than 130 thousand of requests for the fake records like 131737-4795-15081.blah.com to be able to match port and ID and insert poisoned entry for the poisoned_dns.blah.com.”

“BIND used fully randomized source port range, i.e. around 64000 ports. Two attacking servers, connected to the attacked one via GigE link, were used, each one attacked 1-2 ports with full ID range. Usually attacking server is able to send about 40-50 thousands fake replies before remote server returns the correct one, so if port was matched probability of the successful poisoning is more than 60%.

Attack took about half of the day, i.e. a bit less than 10 hours.
So, if you have a GigE lan, any trojaned machine can poison your DNS during one night…” -tservice.net.ru

If you want more info listen to Steve Gibson talk about it in episode Security Now! Episode #157. DON’T FORGET TO READ MY POST ON Test your DNS NOW!!! and DNS Servers, The ISP Will not update!. For MORE INFO.

Do you think your DNS Server is compromise you can do two things.

1.You can check if your DNS Server is OK at a few sites:

http://member.dnsstuff.com/tools/vu800113.php

http://entropy.dns-oarc.net/test/ (This on takes a few times just refresh the page about 5-7 times)

http://www.doxpara.com/ (Dan Kaminsky Security Blog)

https://www.grc.com/dns (Steve Gibsons DNS Nameserver Spoofability Test)

2. The way to see if your DNS is good is to see if the port randomization is great if it says “poor” then TELL YOU ISP AND TELL THEM TO PICK UP THE SLACK AND UPDATE IT AND ALSO ITS FREE TO UPDATE!!!!!!!!!!!!!!!!!! All of the sites I listed can check if your DNS is good or bad but remember it can spoof DNS so from sites can give you a false positive witch means can lie to you. The way to know for sure is you can make sure you have an https:// at the beginning or your URL which means secure connection witch can’t be spoofed. If your DNS is compromised you can use a service called OpenDNS witch is free and probity a lot faster then your DNS and more secure because the only thing the do is keep their DNS Servers up-to-date always. They have a network of them all across the world witch means it is also more reliable. If one DNS is different than all the rest then it will change back. That is why it is more secure also they are not comprised because all of their DNS Servers were patched on the day it came out. It is faster, more secure, more reliable and the best thing it is FREE!!!!!!!!!! For more info about OpenDNS go to http://opendns.com/

That is the only advice i can give you to keep your DNS Servers safe and spread the word about this flaw and we might change the way we shop online and feel safer on it too.  Everyone deserves a safer and faster web for half the cost…well we can do the safer and faster for now.

P.S. Open DNS servers isp is 208.67.222.222 and secondary server id 208.67.220.220 just if you want to know.

In News of the DNS flaw Kaminsky (finally) provides DNS flaw details. “In his first public comments since his Domain Name System (DNS) cache poisoning flaw was made public, Dan Kaminsky said in a conference call on Thursday he doesn’t want to parse who said what when. He just wants everyone to understand that they must patch their systems now.” -Cnet.com Also Steve Gibson talks about the flaw in his podcast he does every week in episode #155 Bailiwicked Domain Attack & also episode Listener Feedback #47.

“This would be less of an issue if the widely released patch from two weeks ago had been fully deployed, but a number of companies or ISPs don’t seem to have gotten the memo. Accordingly to Kaminsky, some 52 percent of DNS servers are still vulnerable to the attack. This is a marked improvement from the 86 percent vulnerability rate in the days immediately following the patch’s release, but it’s still far too high, especially with dangerous code now squirreling its way across the Internet. Patch deployment is not an instant process, even if the company is on the ball, but we’ll hopefully see the number of patched DNS servers skyrocket in the next few days.

Some publications have dubbed the attack Metasploit, but that term refers to the open-source Metasploit Framework that was used to develop it. As for the exploit itself, it’s a new variation on a classic DNS poisoning theme. It disrupts the normal translation functions of a DNS server, causing it to redirect users to websites other than the ones they intended to visit. A poisoned DNS server, for example, could send someone to http://www.RussianMalware.com when they had actually typed http://www.google.com into the address bar. DNS poisoning isn’t new—vulnerabilities have existed for over a decade—but the one Kaminsky discovered increases the power of a successful attack.

Kaminsky has now detailed the methodology of a standard DNS poisoning attack and provides additional information on the vulnerability he discovered. As he describes it, a DNS lookup request is essentially a race between a good guy and a bad guy, each of whom possess certain advantages. The good guy knows when the race begins, and he knows the secret code that’s been sent along with that request in order to verify that the response coming back is actually authentic. The bad guy doesn’t have this code, but he actually decides when the request goes out, and he knows about the request before the good guy does.” -arstechnica.com

This problem was found by Dan Kaminsky a wile ago and ISP’s did not listen to him so he went public and now the world knows the problem and how to exploit it.  “He just wants everyone to understand that they must patch their systems now.”

“While most of the burden is on the Domain Name System servers and the various systems that support them, the nature of the flaw is such that desktop clients also need to patch their software as well.”

“Still, in the end, protection from any DNS exploit also depends on your upstream ISP providers. As of Monday, researcher Neal Krawetz was reporting that servers at several high-profile ISPs remained vulnerable. ”

You can get more info about this DNS Flaw at

Microsoft Security Bulletin MS08-037

-Cnet.com

If you want more info about your DNS and if it is safe go to my other post called “Test your DNS NOW!!!” also if you want more info listen to Steve Gibson on episode #155 Bailiwicked Domain Attack & also episode Listener Feedback #47, at  https://www.grc.com/securitynow.htm (Secure connection) or SSL or at http://www.grc.com/securitynow.htm for unsecure. If you want to visit Dan Kaminsky at his blog at http://www.doxpara.com/ or on twitter at dakami. Ohh… one more thing Steve Gibson said that if you go to any site that is on an SSL (Secure Connection) This will be the right sight and can’t be spoffed because they would not allow the certificite for the site to go through because it goes on 443 not 80. Also if you want to laugh or cry or whatever you think this is you can read a poem about the DNS flaw and Dan Kaminsky.

“He decided than rather to disclose all at once he’d instead only tell people who’d fix it in months So some meetings were had and work soon began vendors wrote patches coordinated by Dan Fast forward some time out the closet it came some researcher types got into the game Dan’s rules were quite simple, that in 30 days he’d present during Blackhat and we’ll all be amazed A bunch of big egos called Dan on a bluff said his vuln was a copy of 10 year old stuff So Dan swore them on handshakes and details were provided and those same cocky claims soon all but subsided It seems that Dan’s warnings weren’t baseless at all Said the same skeptical hackers ‘the risk isn’t that small!’ So Blackhat was nearing the web didn’t break then out came a theory from our friend Halvar Flake No sooner had he posted and described the vuln’s guts than Matasano’s blog surfaced, kicked the web in the nuts It said ‘Halvar’s right!’ we’ll no longer keep quiet. The post’s ripple effect caused a nasty ‘net riot The blog quickly was pulled but the cat’s out of the bag the arms race began since there’s no longer a gag Meanwhile the issues of honor and trust rehashed the debate of when disclosure goes bust So Dan’s days of thirty we never did see thirteen is OK but I issue this plea When researchers consider how to disclose and thus when will you think of the users? How it might affect them? This ego-fueled rush to put your name on a vuln has a much bigger impact than you might have known If the point here is really to secure and protect then consider what image you really project In this case the vuln. is now in the wild an exploit is coming DNS soon defiled The arms race has started and the clock now is ticking If you haven’t yet patched you’ll soon take a licking I’m not taking sides really on the disclosure debate but rather the topic of patch early or late What good is disclosure if the world couldn’t cope with the resultant attacks if we’ve all got just hope? There’s two sides to this issue both deserve merit but Dan’s rep has been smeared I say let’s just clear it”

-Christofer Hoff.