|
»
»
»
EFW & DNS cache poisoning flaw
|
View:
New views
7 Messages
—
Rating Filter:
Alert me
|
 |
EFW & DNS cache poisoning flaw
by sysucl
::
Rate this Message:
Hello everyone,
My LAN is behind an endian firewall box (v.1.1). I upgraded my local DNS servers (bind9) to prevent dns cache poisonning. My local DNS are configured to forward to OpenDNS servers for the "outside" servers. When I perform a test (e.g. on doxpara website), it seems that i'm still vulnerable. I browsed this forum and upgraded dnsmasq to version 2.43, but it doesn't seem to fix my problem. It seems that the EFW box cancels the benefit of random udp source ports on the bind9 servers; Can anyone help me with this issue ? Thanks ps: I can upgrade to a newer version of EFW if necessary, but I want to be sure this will solve the problem, since it involves interrupting internet access for some time. |
|
|
Re: EFW & DNS cache poisoning flaw
by Mike Tremaine
::
Rate this Message:
sysucl wrote:
> Hello everyone, > > My LAN is behind an endian firewall box (v.1.1). I upgraded my local DNS > servers (bind9) to prevent dns cache poisonning. > My local DNS are configured to forward to OpenDNS servers for the "outside" > servers. > > When I perform a test (e.g. on doxpara website), it seems that i'm still > vulnerable. > I browsed this forum and upgraded dnsmasq to version 2.43, but it doesn't > seem to fix my problem. > It seems that the EFW box cancels the benefit of random udp source ports on > the bind9 servers; > > Can anyone help me with this issue ? > Thanks > > ps: I can upgrade to a newer version of EFW if necessary, but I want to be > sure this will solve the problem, since it involves interrupting internet > access for some time. > > I double checked the DNSmasq upgraded EFW I have deployed and did my local patched server and the results from Doxpara come back the same. It says it appears to be fine but to check this list and then shows some port numbers [which do not seem to change by the way.] Another test is to use dns-oarc.net dig +short porttest.dns-oarc.net TXT In windows you can use nslookup > nslookup > set type=txt > porttest.dns-oarc.net As far as I can tell the new version of DNSmasq does help but remember that it has to ask an upstream DNS server and word is that lots of ISP's have failed to do the upgrade. -Mike ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Efw-user mailing list Efw-user@... https://lists.sourceforge.net/lists/listinfo/efw-user |
|
|
Re: EFW & DNS cache poisoning flaw
by Mike Tremaine
::
Rate this Message:
Mike Tremaine wrote:
> sysucl wrote: >> Hello everyone, >> >> My LAN is behind an endian firewall box (v.1.1). I upgraded my local DNS >> servers (bind9) to prevent dns cache poisonning. >> My local DNS are configured to forward to OpenDNS servers for the "outside" >> servers. >> >> When I perform a test (e.g. on doxpara website), it seems that i'm still >> vulnerable. >> I browsed this forum and upgraded dnsmasq to version 2.43, but it doesn't >> seem to fix my problem. >> It seems that the EFW box cancels the benefit of random udp source ports on >> the bind9 servers; >> >> Can anyone help me with this issue ? >> Thanks >> >> ps: I can upgrade to a newer version of EFW if necessary, but I want to be >> sure this will solve the problem, since it involves interrupting internet >> access for some time. >> >> > > I double checked the DNSmasq upgraded EFW I have deployed and did my > local patched server and the results from Doxpara come back the same. It > says it appears to be fine but to check this list and then shows some > port numbers [which do not seem to change by the way.] > > Another test is to use dns-oarc.net > > dig +short porttest.dns-oarc.net TXT > > In windows you can use nslookup > > nslookup > > set type=txt > > porttest.dns-oarc.net > > > As far as I can tell the new version of DNSmasq does help but remember > that it has to ask an upstream DNS server and word is that lots of ISP's > have failed to do the upgrade. > > -Mike > > PS - There seems to be a DNSmasq 2.45 out which obviously I better build into an RPM. :/ -Mike ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Efw-user mailing list Efw-user@... https://lists.sourceforge.net/lists/listinfo/efw-user |
|
|
Re: EFW & DNS cache poisoning flaw
by sysucl
::
Rate this Message:
Hi, Do you mean you get the same results with dnsmasq 2.43 as with the previous version ? I also ran the test from dns-oarc.net I get strange results. I tried with dnsmasq 2.43, but the quety times out, it tells me it can't find the name server. On the efw box, i killed dnsmasq, and launched it again, but without the arguments from the rc file. #killall dnsmasq && dnsmasq If I run this from my primary dns: #dig +short porttest.dns-oarc.net TXT It tells me my dns security is POOR "x.y.z.w is POOR: 26 queries in 5.0 seconds from 26 ports with std dev 7" But if i try #dig @firewall +short porttest.dns-oarc.net TXT "208.69.34.8 is GREAT: 26 queries in 4.0 seconds from 26 ports with std dev 19093" (@firewall is my efw) I think 208.69.34.8 must belong to openDNS. So I'm a bit confused, i tried to forward the dns queries to my efw, but it doesn't make the trick. By the way, I replaced my isp's dns with the openDNS servers, since my isp didn't seem to have patched their servers (according to the tests I ran yesterday). Any idea ? |
|
|
Re: EFW & DNS cache poisoning flaw
by sysucl
::
Rate this Message:
I tried it this morning (just replaced the binary on my efw box, to give it a try). I had a look at the changelog, and obviously the flaw was fixed in 2.43 so I don't know if it's relevant to upgrade to 2.45 (for the flaw problem, anyway. there might be other improvements in 2.45, though) |
|
|
Re: EFW & DNS cache poisoning flaw
by Mike Tremaine
::
Rate this Message:
sysucl wrote:
> > > > I get strange results. > > I tried with dnsmasq 2.43, but the quety times out, it tells me it can't > find the name server. > On the efw box, i killed dnsmasq, and launched it again, but without the > arguments from the rc file. > #killall dnsmasq && dnsmasq > The reload script [in Endian 2.0] is /etc/rc.d/rc.dnsmasq > > If I run this from my primary dns: > #dig +short porttest.dns-oarc.net TXT > It tells me my dns security is POOR > "x.y.z.w is POOR: 26 queries in 5.0 seconds from 26 ports with std dev 7" > > > But if i try > #dig @firewall +short porttest.dns-oarc.net TXT > "208.69.34.8 is GREAT: 26 queries in 4.0 seconds from 26 ports with std dev > 19093" > (@firewall is my efw) > I think 208.69.34.8 must belong to openDNS. > So I'm a bit confused, i tried to forward the dns queries to my efw, but it > doesn't make the trick. > I can dig at the efw box and it works like you showed. [mgt@dwarfstar ~]$ dig @192.168.42.51 +short porttest.dns-oarc.net TXT porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net. "66.166.188.8 is GREAT: 26 queries in 0.8 seconds from 26 ports with std dev 17631" I just posted the 2.45 rpm also. So it seems to be working. Make sure your DNS settings in DHCP are correct [I have it pointing to itself for DNS] Other then that not sure what to say it seems to be working for me and it passes the tests I try. -Mike ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Efw-user mailing list Efw-user@... https://lists.sourceforge.net/lists/listinfo/efw-user |
|
|
Re: EFW & DNS cache poisoning flaw
by sysucl
::
Rate this Message:
I upgraded to dnsmasq 2.45 (just in case. thanks for the rpm). I restarted dnsmasq using the script you mentionned. My primary dns runs on the same machine as my dhcp server, and it is different from the efw box. That seems to be quite different from your setup :/ (So the dhcp on the efw is disabled, of course.) I get the same results : #dig @firewall +short porttest.dns-oarc.net TXT porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net. "208.69.34.8 is GREAT: 26 queries in 4.0 seconds from 26 ports with std dev 19193" #dig +short porttest.dns-oarc.net TXT porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net. "x.y.z.w is POOR: 26 queries in 4.9 seconds from 26 ports with std dev 7" x.y.z.w is my router's address I think it might be a setup problem on my LAN. I try to forward the queries to my efw box but i get the same results.
Do your tests also succeed from another machine than your efw box ? |
| Free Forum Powered by Nabble | Forum Help |
