Email address obfuscation in effect -- please
click here to turn it off.
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Good idea - zone transfers are bad news because people tend to name boxes what
they are. ie - what do you think cpfw1.domain.com is? Perhaps a CheckPoint
Firewall-1 ? Thanks - just isolated what and where to attack.
Zone Transfers should ONLY occur between trusted servers. So at UMC that would
be UMC-controlled servers and argus. I know I made it my mission in life for
several months to get rid of unnecessary DNS, anon ftp, and SMTP servers. All
told I got over 100 services off the network :)
DNS poisoning:
The players: Attacker, Alice (good user), Bank (destination)
1. Attacker sends request to Alice's DNS server to resolve anything in
Attacker's domain (standard query)
Attacker has control over his domain (authoritative DNS) OR has compromised an
authoritative server
2. Attacker gathersthe query IDs from the DNS request from Alice's DNS server
Might repeat to get the sequence of query IDs (they're not exactly random)
3. Attacker prompts Alice's DNS server to resolve www.bank.com (Alice's
destination)
4. Alice's DNS requests www.bank.com from bank.com's DNS server
5. Attacker uses predictable query ID to answer for bank.com's DNS server -
mapping www.bank.com to Attacker's IP
6. Alice's DNS server dutifully cache's this
Caveat: Older versions of BIND only require sending many answers to a query and
the server takes them all
7. Alice requests www.bank.com from her DNS server
8. Alice's DNS server answers with the IP for the Attacker
9. Alice sends her request to the Attacker - the Attacker can have a spoofed
page, or a page that appears the same, or whatever
Don't think this happens? It does and it really isn't very hard.
Mitigation:
Use the latest ver of BIND which makes query IDs harder to predict
Split-Split DNS (yes - 2 splits) 3 servers:
internal/internal: resolves internal only addresses for internal users
internal/external: resolves external only addresses for internal users
external/external: resolves external only addresses for external users
Digitally sign records (DNSSec)
Now, imagine with me if this happened for UMC and CNN. So someone poisons UMC
DNS to say that CNN.COM is really their IP which they have put up with false
headlines. Now imagine it was done immediately following 9/11 giving false
information. Now imagine it was an automated tool to nail 500 .edu domains and
all of @home DNS servers. This is cyber terrorism at it's finest and it's not
hard to do!
-- Brent
-----Original Message-----
From: EMAIL:PROTECTED
[mailto:EMAIL:PROTECTED]On Behalf Of McNutt, Justin M.
Sent: Monday, December 03, 2001 7:54 AM
To: EMAIL:PROTECTED
Subject: [MLUG] DNS at UMC
> There's always DNS poisoning. It's nailed some high-profile
> places (Yankees,
> Hillary, etc.).
I haven't yet figured out how to defeat DNS poisoning in the design I've
built, partly because I don't entirely understand how the poisoning is
accomplished.
> The real risk is reconnaissance, but recon is the name of the
> open-environment game such as a University
Not for long. I am working on reducing the number of zones we host and the
number of name servers that we "officially" talk to. Somewhere along the
path, only hosts with NS records in the zones we host will be allowed to do
zone transfers with us, and even then, probably not with noc.
After that, I'll be setting up digital keys so I can essentially
authenticate the hosts that *are* authorized to do the transfers.
--J
--
To unsubscribe, go to http://mlug.missouri.edu/members/edit.php
Archives are available at http://mlug.missouri.edu/list-archives/
--
To unsubscribe, go to http://mlug.missouri.edu/members/edit.php
Archives are available at http://mlug.missouri.edu/list-archives/
Home | FAQ | Server | Presentations | Mailing Lists/Archives | Member Tools | Links | Sponsors | Contact