Site icon Panda Security Mediacenter

Patch your DNS NOW!!!!!

The exploit is here. Metasploit has developed a module to trigger the last DNS vulnerability (announced by Dan Kaminsky two weeks ago). The DNS system translates names to numbers the Internet can use (pandasecurity.lin3sdev.com -> 88.221.26.28). This threat allows malicious people to redirect any website or domain to a system controlled by the attacker. The full vulnerability description would be described at BlackHat, however it was published (by mistake) in a very known blog. Although It was removed, nevertheless it was already accessible with Google cache or Google Reader.

The vulnerability uses two well-known issues with DNS Protocol:

The attacker (trigger machine) sends DNS packets, to the target DNS, with queries for a website of a domain controlled by them (www.mytestdomain.com). The target DNS will send the queries to the DNS server controlled by the attacker, so this way they could predict the source port used by the target DNS and predict some patterns in the transaction ID. After that the attacker sends spoofed DNS packets, to the target DNS, pretending to be the DNS server, redirecting the client to the website owned by the attacker.

 

We have developed a tool to verify if your DNS is vulnerable (DnsTester). It basically executes the following query, suggested by Sans Diary:

nslookup -type=txt -timeout=30 porttest.dns-oarc.net

If your DNS is vulnerable, you should inform your ISP or network
administrator about it. However a better and faster approach is to
change your DNS to OpenDNS.

There are also some websites to verify if your DNS is vulnerable (http://www.doxpara.com/ or you could follow the SANS suggestions on Sans Diary).

(Thanks to Iker Perez for the image) 

Exit mobile version