Practical Technology

for practical people.

Preventing DNS Poisoning in Linux

| 1 Comment

If you don’t think the recent discovery of the DNS cache-poisoning flaw is bad news and needs to be addressed as soon as possible, let me repeat what Paul Mockapetris, DNS’ (Domain Name System) inventor, had to say about this security hole: Patch your DNS servers right now.

CERT can tell you about the technical details of DNS cache-poisoning, here’s what an attack on a DNS server can mean to you according to Dan Kaminsky, a researcher at security services firm IOActive: The vulnerability could allow attackers to redirect Web traffic and e-mails to systems under their control.

In other words, you click on your bookmark for Google and you end up at a site that looks like Google but is loaded down with malware. Or, you go to what looks like your bank site, the URL is the right one for your bank, but when you enter in your account ID you’ve just given it to a rip off artist.

With violated DNS servers you will be unable to trust the Internet. None of your net-based programs — e-mail, Web browser, media-player, whatever – would be trustworthy.

The only solution is to update your DNS servers and to do it now. Almost all the major operating system vendors have already released patches for the problem.

For Linux servers in specific, that means you need to upgrade BIND. If you’re still using BIND 8, or, God-forbid, any earlier versions, since these are hopelessly outdated, you should upgrade to BIND 9.

BIND 9 is years old but some ISPs and companies are still using it. Yahoo, believe it or not, according to Kaminsky, is still using BIND 8. There are several things that work in BIND 8, but which will fail in BIND 9. This circa 2001 story from O’Reilly on Upgrading to BIND 9: The Top Nine Gotchas does a good job of covering them.

If you’re using an older Linux distribution for DNS, you may need to update BIND by hand from the source code. ISC provides the following patches: BIND 9.5.0-P1; BIND 9.4.2-P1, and BIND 9.3.5-P1.

The good is that this will stop hackers from exploiting this security hole in their tracks. The bad news is that you will see a performance hit. So, if you’re running a site with say over 10,000 DNS hits per second, get ready to start adding DNS servers to handle the load. There are beta versions of BIND that combine performance and safety, but they are just that: Beta. I wouldn’t switch to them at this time.

If you’re using a modern Linux distribution, use your automatic update feature to bring DNS up to date. For further information on specific distributions, follow these links:

Debian.

Fedora 8

Fedora 9

openSUSE/SUSE

Ubuntu

I looked for, but was unable to find, pre-packaged fixes for PCLinuxOS. That said, I’m sure there will be patches available for all three distributions within days, if not hours.

Updated July 11 with openSUSE and SUSE patch information.

Users of these distributions should keep an eye on their sites and update their systems the minute a patch becomes available. If you’re using any of these Linuxes for major DNS work, go ahead and push the ISC patches through. You really don’t want to fool around with this security hole.

Ultimately, to better protect your Internet connectivity, you need to move to DNSSEC, which, as the name implies, adds security features to DNS. First, though, get your current DNS systems secure with the new patches, and then move to DNSSEC. It’s more important to be safe right now and then worry about a long-term security plan rather than delay defending your DNS servers until you have a handle on DNSSEC.

One Comment

  1. Pingback: Geek Vault » Mais sobre o DNS

Leave a Reply