Hosting companies and the looming DNS problem

Ms Naughty · 2008-07-31, 10:35 PM

I'm starting a thread about something that I don't really understand. Maybe Sparky or others can add to it. In any case, I've read today that there's a major flaw with the DNS system and that hosts need to add a patch to make sure sites don't get exploited via nameservers.

http://news.cnet.com/8301-1009_3-10004267-83.html

So... hosting companies, have you added this patch?

cd34 · 2008-07-31, 11:46 PM

Hosting companies are less affected by this than your broadband/dialup ISP. Our servers are authoritative to the outside world -- meaning that an end-user wouldn't normally be using our servers to look up their bank, google, yahoo, etc. Because of that, even if we ran the older DNS software that was able to be spoofed, only people using our nameservers for their dns resolution would be affected. Answering authoritatively for domain names that are hosted on our nameservers would be unaffected.

Now, there is an interesting vector that was exploited the other day:

DNS attack writer victim of his own creation

However, I would bet that most of the hosting companies have upgraded their dns within days of the initial announcement. Some possibly were already running powerdns which was unaffected.

Even though most of the unmanaged servers are running nameservers, again, since very few people other than the local machine would be using that server as a resolver, it is unlikely that they would be affected.

To give you an idea how the attack works, basically, its a race between the good guy and the bad guy. You request to go to google.com, you ask your ISP for the IP address, the bad guy is flooding your ISP's nameserver with answers for google.com using this bug which severely limits the guesswork required to inject the bad data. There is a possibility that you'll get the right answer, but, there's a reasonable chance you'll get the wrong answer.

A simple test to see if the resolver you are using is exploitable is to use this dns test

Ideally you'll see Great Source Port Randomness and Great Transaction ID Randomness. Just because you don't see both as Great doesn't mean that your resolver is necessarily exploitable. There are certain network architectures that some of the larger ISPs use that will skew the test.

AT&T still appears to be a major laggard in updating their servers, and, is the one affected in the article linked above. AT&T also supplies the dns resolvers for all of the iphone's recently turned on.

If your current ISP appears to be unpatched, you can always use opendns.com's resolvers which run their enterprise version of powerdns which was unaffected by the bug.

webcams_brian · 2008-08-01, 06:19 AM

Ya...OpenDNS is recommended if your a little worried... |goodidea

Ms Naughty · 2008-08-01, 09:53 PM

OK, thanks for your reply Sparky that clears things up a bit. My ISP is officially "great."

2008-07-31, 10:35 PM	#1
Ms Naughty old enough to be Grandma Scrotum Join Date: Aug 2003 Location: Australia Posts: 1,408	Hosting companies and the looming DNS problem I'm starting a thread about something that I don't really understand. Maybe Sparky or others can add to it. In any case, I've read today that there's a major flaw with the DNS system and that hosts need to add a patch to make sure sites don't get exploited via nameservers. http://news.cnet.com/8301-1009_3-10004267-83.html So... hosting companies, have you added this patch? __________________ Promote Bright Desire

2008-07-31, 11:46 PM	#2
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	Hosting companies are less affected by this than your broadband/dialup ISP. Our servers are authoritative to the outside world -- meaning that an end-user wouldn't normally be using our servers to look up their bank, google, yahoo, etc. Because of that, even if we ran the older DNS software that was able to be spoofed, only people using our nameservers for their dns resolution would be affected. Answering authoritatively for domain names that are hosted on our nameservers would be unaffected. Now, there is an interesting vector that was exploited the other day: DNS attack writer victim of his own creation However, I would bet that most of the hosting companies have upgraded their dns within days of the initial announcement. Some possibly were already running powerdns which was unaffected. Even though most of the unmanaged servers are running nameservers, again, since very few people other than the local machine would be using that server as a resolver, it is unlikely that they would be affected. To give you an idea how the attack works, basically, its a race between the good guy and the bad guy. You request to go to google.com, you ask your ISP for the IP address, the bad guy is flooding your ISP's nameserver with answers for google.com using this bug which severely limits the guesswork required to inject the bad data. There is a possibility that you'll get the right answer, but, there's a reasonable chance you'll get the wrong answer. A simple test to see if the resolver you are using is exploitable is to use this dns test Ideally you'll see Great Source Port Randomness and Great Transaction ID Randomness. Just because you don't see both as Great doesn't mean that your resolver is necessarily exploitable. There are certain network architectures that some of the larger ISPs use that will skew the test. AT&T still appears to be a major laggard in updating their servers, and, is the one affected in the article linked above. AT&T also supplies the dns resolvers for all of the iphone's recently turned on. If your current ISP appears to be unpatched, you can always use opendns.com's resolvers which run their enterprise version of powerdns which was unaffected by the bug. __________________ SnapReplay.com a different way to share photos - iPhone & Android

2008-08-01, 06:19 AM	#3
webcams_brian Aw, Dad, you've done a lot of great things, but you're a very old man, and old people are useless Join Date: Jun 2008 Location: Dublin, Ireland Posts: 29	Ya...OpenDNS is recommended if your a little worried... \|goodidea __________________

2008-08-01, 09:53 PM	#4
Ms Naughty old enough to be Grandma Scrotum Join Date: Aug 2003 Location: Australia Posts: 1,408	OK, thanks for your reply Sparky that clears things up a bit. My ISP is officially "great." __________________ Promote Bright Desire