Security information regarding DNS servers

July 22, 2008 - August 22, 2008

We are asked to post this note:

Dear ISP:

As you have probably read, a large collection of DNS vendors, software 
publishers, and researchers published an update to their DNS servers and 
clients.  There is now publication of the details of vulnerability which 
means exploit is more likely.

The root cause of the vulnerability is a lack of entropy (randomness if 
you will) in the UDP ports used by DNS.  The updates randomize the ports 
that are used by DNS.

However, there is an issue 
(http://blogs.iss.net/archive/dnsnat.html) that some NAT devices undo 
the randomization of the ports and re-write the ports in a sequential 
number.   This in effect re-introduces the vulnerability to customers.   
Many customers are behind these devices and customers using a low-end device 
are far less likely to understand the issues compare to customers behind a 
more powerful router or firewall device.  Obviously consumers are a likely 
group to be in this situation, but so are SOHOs and other small and medium 
business customers.

While the NAT device manufactures evaluate the situation and determine what 
their response should be, there is one strong workaround.  It involves 
setting up your DNS in the way described here
 
(http://www.isc.org/sw/bind/docs/forwarding.php ).  
This means that the customer is relying on the ISP's server to be updated.

Therefore I am urging all ISPs to make sure they update their servers, 
and encourage their users to update their systems.

For more information you can go to my research page:  http://www.doxpara.com/ 


Dan Kaminsky
IO Active