[LUG] DNS software security update

[Michael Deutschmann]

Last week an update was released for BIND (the de facto standard DNS
server on unixlikes), containing a security improvement.  The authors
are so worried about this issue that they took the unusual step of
releasing it at the same time as Microsoft's "Patch Tuesday", so that
Microsoft could release an analogous update to their DNS software at the
same time.

The issue involves IP address spoofing.  Aside from pure noise attacks,
it's considered impossible to forge a TCP connection, since an attacker
needs to see the packets the target sends back to the apparent source in
order to produce the correct responses.  But DNS usually uses UDP, which
makes it easier to forge.

Forged DNS results could be used to redirect people to phishing sites,
or to fake favorable results from anti-spam systems that use DNS, such
as blacklists.

The potential for DNS spoofing has been known for some time, although
it's not easy to pull off.  But recently, a whitehat has discovered a
technique to make it far easier.  They have recommended that *all* DNS
servers should *quickly* start using random source UDP ports to make
queries, so that an attacker needs to guess the port number in order to
produce a believable forgery.

(The minority DJBDNS system has done this all along, so their users are
crowing about this...)

The simultaneous release of BIND and Microsoft fixes is intended to give
everyone the same one month window to update their systems before the
exploit is discussed publicly.


I've updated my systems, but I notice that as of 2008-07-15T04:00:08Z,
OCIS has not updated yet.  In fact, they are still running 9.2.5, which
became obsolete in December 2005, over two and a half years ago.

(No "cracking" is needed to know which version of BIND someone is
running.  You just give the command "dig version.bind txt chaos
@SERVER", where SERVER is the hostname of the server.)

---- Michael Deutschmann <michael at talamasca.ocis.net>