So , everyone talked about recent attack against DNS protocol uncovered by Dan Kaminsky (
CVE-2008-1447) . Some rumors , some
speculations , some
partial leakages and finally accidental
leakage of full details (Item titled "Reliable DNS Forgery in 2008") followed by release of few tools and exploits for implementing mentioned attack was what happened in past weeks .
I`m not going to repeat told stories about the case yet another time , but focus on something more seriously . Such cirtical holes in internet infrastructure can easily lead to serious problems if not handled properly . they`re considered high-risk , but if people decide to skip them for any reason , they will become terrible cases . This is exactly what seems to be going on here in Iran . About one month past the patch-day ( 8th July ) but almost non of those who must have already patched their systems taken any (effective) action . I`m not talking about internal vulnerable DNS servers nor low-level ISP`s who provide internet to wide range of users , but talking about so-called top level DNS providers in country , back-bone providers or even the infrastracture known as authority of .ir domains ! let`s check it in more visual way :
DCI which is likely to be Iran`s top-level internet (and DNS, among Nic.ir) provider ,is providing service to 40 other networks and each of these 40 links are provider of number of other neworks. SINET is one of these 40`s ,which is up-stream of NIC.ir . Check "Import" items in
this link which shows who`s using DCI as it`s up-stream link . The bad thing about this vulnerability is that if you poison a top-level vulnerable DNS server , any down-stream DNS servers which forward their queries to vulnerable up-stream will get poisoned too . In more clear sentence , if you poison a top-level DNS , you`ve automatically poisoned all down-stream servers in a hierarchically manner .
Here`s the scary part of story . Almost all of mentioned up-stream DNS servers are still vulnerable ! To get more into details , I picked up few ( 15 ) random popular ISPs in country and repeated the test , for not just relying on top-level results :
Out of 15 checked ISP`s , 9 of them were directly making their users to forward queries to one of mentioned up-stream (top-level) DNS servers .
Out of 15 , only 2 of ISP`s turned to be secure against remote attacks. In remaining 13 , 6 of them had Open DNS servers which allow requrcive queries from anywhere in internet , but others were configured to accept recursive cueries only from their users (internal range). Althout better than being a wore DNS , but still vulnerable to attack.
And the Gold winner of the case IMO is NIC.IR. I`m sorry to say that authoritve DNS server of .ir domains is vulnerable too !
I`ve contacted few of top-levels through email and provided details among proof of concept on their systems but non of them replayed nor patched yet.
If you care about your security , I highly recommend you to use
OpenDNS servers till our lazy DNS maintainers decide to patch .
A note for DNS admins : Patching the server may not be enough ! Since core of the attack relys on weak source-port randomization , even a patched DNS server may remain vulnerable to attack if it`s behind a Firewall, NAT or some kind of forwarder system which brings your DNS to internet. Test your DNS servers both from internal and external zones to become sure about it . If you`re not sure how to check , try using
this free checking service and review results . You should see any poor/weak item there in report .
So what if you can`t directly patch your vulnerable server ? well , first of all this is one of those vulnerabilities that you MUST patch . But as a partial workaround you may place your DNS behind iptables (or other good *nix firewalls) and make firewall do the port-randomization for you.
Note to Users :Check the
same test link provided above . If you see any poor/weak sign , it`s time to call your ISP and ask them to patch . This is not because you care about security of your ISP , but you care about your own security .