nameserver
> Description
> ===========
>
> This exploit targets a fairly ubiquitous flaw in DNS implementations
> which allow the insertion of malicious DNS records into the cache of the
> target nameserver. This exploit caches a single malicious host entry
> into the target nameserver. By causing the target nameserver to query
> for random hostnames at the target domain, the attacker can spoof a
> response to the target server including an answer for the query, an
> authority server record, and an additional record for that server,
> causing target nameserver to insert the additional record into the
Description
===========
This exploit targets a fairly ubiquitous flaw in DNS implementations
which allow the insertion of malicious DNS records into the cache of the
target nameserver. This exploit caches a single malicious host entry
into the target nameserver. By causing the target nameserver to query
for random hostnames at the target domain, the attacker can spoof a
response to the target server including an answer for the query, an
authority server record, and an additional record for that server,
causing target nameserver to insert the additional record into the
transaction ID that the server will use and sending a spoofed DNS reply
to the server. To observe the transaction IDs an attacker needs to
control a DNS server that is authoritative for some domain and to be
able to send a recursive queries to the caching Microsoft DNS server.
When an attacker sends a recursive query to a caching name server, the
caching server will find the server authoritative for the zone and send
the request to the authoritative name server. If the attacker can
predict the transaction ID of the request that the caching server sends,
he can generate spoofed replies. The caching server will accept spoofed
reply as coming from authoritative name server and cache the fake data.
mailing list when the binaries are available via freebsd-update.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.
Dynamic update messages may be used to update records in a master zone
on a nameserver.
II. Problem Description
to a Denial of Service and easing cache poisoning attacks.
Background
==========
The PowerDNS Nameserver is an authoritative-only nameserver which uses
a flexible backend architecture.
Affected packages
=================
I wrote patch for DNS server to exploit bug in 'mtr', which use 'bug' in libresolve.
We must compile and run DNS server with config file which i enclose here. Diff for
DNS server i enclose too. Server try too bind on interface which have IP address
192.168.1.200, evil domain is for IP 12.34.56.78, and main DNS server is set that have
IP address 192.168.1.1 (remember to change registry in /etc/resolv.conf for nameserver!).
Patch for pdnsd DNS server in version 1.2.6 (it have some bugs but to exploit this
bug you don't need to long live server :)):
--- CUT ---
cache
is poisoned. Because the replies are sent directly after the query, they
will
arrive at the DNS server much earlier than the legitimate reply from some
Name
Server.
This attack was discovered and announced by Dan Kaminsky of Doxpara
Research in
July 2008.
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.
DNS Security Extensions (DNSSEC) provides data integrity, origin
authentication and authenticated denial of existence to resolvers.
II. Problem Description
Hello, I'd like to document what appears to be a common named
misconfiguration that can result in a minor security issue with web
applications.
It's a common and sensible practice to install records of the form
"localhost. IN A 127.0.0.1" into nameserver configurations, bizarrely
however, administrators often mistakenly drop the trailing dot,
introducing an interesting variation of Cross-Site Scripting (XSS) I
call Same-Site Scripting. The missing dot indicates that the record is
not fully qualified, and thus queries of the form
"localhost.example.com" are resolved. While superficially this may
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.
DNS Security Extensions (DNSSEC) provides data integrity, origin
authentication and authenticated denial of existence to resolvers.
II. Problem Description
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server. DNS requests
contain a query id which is used to match a DNS request with the response
and to make it harder for anybody but the DNS server which received the
request to send a valid response.
II. Problem Description
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server. DNS requests
contain a query id which is used match a DNS request with the response
and to make it harder for anybody but the DNS server which received the
request to send a valid response.
II. Problem Description
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.
II. Problem Description
A logic error in the BIND code causes the BIND daemon to accept bogus
data, which could cause the daemon to crash.
Debian-specific: no
CVE Id(s) : CVE-2008-1447
Debian Bug : 490271
In DSA-1603-1, Debian released an update to the BIND 9 domain name
server, which introduced UDP source port randomization to mitigate
the threat of DNS cache poisoning attacks (identified by the Common
Vulnerabilities and Exposures project as CVE-2008-1447). The fix,
while correct, was incompatible with the version of SELinux Reference
Policy shipped with Debian Etch, which did not permit a process
running in the named_t domain to bind sockets to UDP ports other than
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server. DNS Security
Extensions (DNSSEC) are additional protocol options that add
authentication as part of responses to DNS queries.
FreeBSD includes software from the OpenSSL Project. The OpenSSL
Project is a collaborative effort to develop a robust,
Domain Search List <<<--------------------------------------
option type: 24
option length: 1
DNS Domain Search List
Malformed option
DNS recursive name server
option type: 23
option length: 32
DNS servers address: fec0:0:beef:f00d::feed
DNS servers address: fe80::2d42:5a6d:9472:a9fb
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.
II. Problem Description
A remote attacker could cause the BIND resolver to cache an invalid
record, which could cause the BIND daemon to crash when that record
In light of the new DNS cache poisoning issue and now that everyone has had
plenty of time to apply patches, I've decided to release a new version of my
nameserver security scanner called porkbind. It is a multi-threaded nameserver
scanner that can recursively query nameservers of subdomains for version
strings. (i.e. sub.host.dom's nameservers then host.dom's nameservers)
After acquiring the version strings it tests them against version numbers
from CERT advisories and reports back to the user. Zone transfer
capability is also tested for. It is available for download at:
http://innu.org/~super/tools/porkbind-1.2.tar.gz
cache-poisoning attack due to a weakness in the DNS protocol.
This update improves bind's resilience to this attack; however,
it does not provide a definitive solution.
Additionally, the bind package has been updated with root
nameserver information, including the new IP address for
the "L" root nameserver.
http://wiki.rpath.com/Advisories:rPSA-2008-0231
Copyright 2008 rPath, Inc.
the attack.
The paper details a way of making DNS cache poisoning / response
spoofing attacks more reliable. A caching server will store any NS
delegation RRs if it receives a delegation which is "closer" to the
answer than the nameservers it already knows. By spoofing replies that
contain a delegation for a single node, the nameserver will eventually
cache the delegation when we hit the right transfer id.
http://www.sec-consult.com/whitepapers_e.html
Package : pdns
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-3337
Brian Dowling discovered that the PowerDNS authoritative name server
does not respond to DNS queries which contain certain characters,
increasing the risk of successful DNS spoofing (CVE-2008-3337). This
update changes PowerDNS to respond with SERVFAIL responses instead.
For the stable distribution (etch), this problem has been fixed in version
and b.ns.bar; with my patch applied, only records within
burlap.dempsky.org are output. Also, there's significant freedom in
what poisonous records the attacker can produce.
The security hole here is that an administrator that uses djbdns 1.05
to serve DNS content does not expect that configuring his name server
as above will cause it to send records for names outside of
burlap.dempsky.org. I.e., an attacker can trick the administrator's
name servers to include arbitrary DNS records in response to queries
for names within domains he controls. Note that axfr-get is doing the
right thing here: it already strips out names from outside of the
Hash: SHA256
Note: https://www.isc.org/CVE-2011-1907 is the authoritative source
for this Security Advisory. Please check the source for any updates.
Summary: When a name server is configured with a response policy zone
(RPZ), queries for type RRSIG can trigger a server crash.
CVE: CVE-2011-1907
Posting date: 05 May 2011
Program Impacted: BIND
cache poisoning.
Background
==========
The PowerDNS Recursor is an advanced recursing nameserver.
Affected packages
=================
-------------------------------------------------------------------
This program retrieves version information for the nameservers of a domain
and produces a report that describes possible vulnerabilities of each.
Vulnerability information is configurable through a configuration
file; the default is porkbind.conf. Each nameserver is tested for
recursive queries and zone transfers. The code is parallelized with
libpthread.
http://www.innu.org/~super/tools/porkbind-1.3.tar.gz
ChangeLog for this version:
|
