Internet SEO ISP Home  Internet SEO ISP Blog config.com has passed the DNS Cache Poisoning Vulnerability tests
|
|
config.com has passed the DNS Cache Poisoning Vulnerability tests |
|
|
|
|
Written by Joe Rinehart
|
|
Wednesday, 23 July 2008 |
|
I've been getting people sending me announcements and asking me if our servers are secure or at risk! The bottom line is we've known about the security issues of running both authoritative and caching servers on the same server using Bind for years! We separated ours in July of 2004 for both speed and security.
This exploit was announced by CERT on July 8th 2008
Today, July 23, 2008, I tested several large Internet Service Providers (ISP) and web hosting providers and have discovered many are still failing! To my shock my personal ATT DSL account at home using DNS IP 66.219.156.2 at 18:48:29 pm failed too.... So it goes, yet again to demonstrate that the multi-gazzilon dollar telecom networks are NOT always better than a mall ISP who "has it together"! It's issues like this that also determine the quality of the ISP you are doing business with. It can effect both consumer surfing and also merchants domains from being spoofed! DNS is the root core of any network and the quality, speed, aging, the network technical contacts and DNS server IPs are also all things that Google measures when determining the quality of the content they index.If you technical contact is managing a gazzillon web sites or the DNS IP is associated with spam operations, well, it just makes it easier for a small company like config to do better for their clients... Well, enough of my rambling, lets get back to the current DNS security exploit topic!
If you wish to know more about the serious security flaw in DNS recently acknowledged by CERT (US Computer Emergency Readiness Team). US-CERT VU#800113 I quote the first paragraph :
The Domain Name System (DNS) is responsible for translating host names to IP addresses (and vice versa) and is critical for the normal operation of internet-connected systems. DNS cache poisoning (sometimes referred to as cache pollution) is an attack technique that allows an attacker to introduce forged DNS information into the cache of a caching nameserver. DNS cache poisoning is not a new concept; in fact, there are published articles that describe a number of inherent deficiencies in the DNS protocol and defects in common DNS implementations that facilitate DNS cache poisoning. The following are examples of these deficiencies and defects:
For more information please read the rest of the story at URL:
http://www.kb.cert.org/vuls/id/800113
If you'd like to use our caching servers for your computers at home or your office since so many of the big boy Internet Providers DNS are seriously potentially exploited using Bind or Microsoft, here they are by name and IP:
=cache1.ns.config.com:206.216.149.201:300
=cache2.ns.config.com:67.15.57.189:300
=cache3.ns.config.com:67.15.57.114:300
=cache4.ns.config.com:67.15.57.188:300
Just for the record, I always like bragging when possible about our quality of service... Here's our current "uptime" on b.ns.config.com :
b# uptime
5:57PM up 504 days, 19:44, 3 users, load averages: 0.72, 0.88, 0.88
and security wise since uptime doesn't mean much if one has an insecure system:
b# portaudit
0 problem(s) in your installed packages found.
So you are in good hands with the config.com team ;)
Regarding the caching servers or the ability to test form any network for the potential exploits. I basically edited my resolv.conf and on the windows machine near me which my wife users, I just changed the DNS from automatically assigned to insert the IP's of our caching servers which passed the exploit test.
A test provided by Dan Kaminsky, Director of Penetration Testing for IOActive is who announced the exploit is at URL:
http://www.doxpara.com
Another FREE test is available at http://www.dnsstuff.com/ at the bottom left of their index page. Look for:
DNS Vulnerability Check
Check DNS cache poisoning risk
TEST NOW
Best 'net regards,
Joe
|
|
Last Updated ( Tuesday, 29 July 2008 )
|
|
