Page 1 of 2

DNS doozy, is there a 6.5.22m fix for this?

Posted: Tue Jul 08, 2008 7:17 pm
by porter
Bigger than Ben Hur, bigger than Debian's ssh keys,

http://securosis.com/2008/07/08/dan-kaminsky-discovers-fundamental-issue-in-dns-massive-multivendor-patch-released/

Is there a 6.5.22m fix for this?

Re: DNS doozy, is there a 6.5.22m fix for this?

Posted: Tue Jul 08, 2008 7:38 pm
by nekonoko
I updated BIND9 in Nekoware with the fix.

Re: DNS doozy, is there a 6.5.22m fix for this?

Posted: Tue Jul 08, 2008 8:21 pm
by porter
Does that replace standard the client resolver library? Or is it a server only fix?

Re: DNS doozy, is there a 6.5.22m fix for this?

Posted: Tue Jul 08, 2008 8:35 pm
by nekonoko
It's the standard BIND server package with the required patch.

Re: DNS doozy, is there a 6.5.22m fix for this?

Posted: Tue Jul 08, 2008 9:44 pm
by porter
nekonoko wrote:It's the standard BIND server package with the required patch.


Sorry to be pedantic, but is this a "neko_bind" or does this actually replace the resolver used by SGI compiled programs?

Re: DNS doozy, is there a 6.5.22m fix for this?

Posted: Tue Jul 08, 2008 9:53 pm
by nekonoko
It's neko_bind of course, but my understanding is that by running a local caching nameserver, the local resolver won't need to reach out to a malicious source. At least that was my interpretation of:

Run a local DNS cache

In lieu of strong port randomization characteristics in a stub resolver, administrators can protect their systems by using local caching full-service resolvers, both on the client systems and on servers that are topologically close on the network to the client systems, in conjunction with the network segmentation and filtering strategies mentioned above.


http://www.kb.cert.org/vuls/id/800113

This is, of course, what I do here.

Re: DNS doozy, is there a 6.5.22m fix for this?

Posted: Thu Jul 10, 2008 9:20 am
by mgtremaine
I saw this test floating around another list it is worth having.

https://www.dns-oarc.net/


dig +short porttest.dns-oarc.net TXT

In windows you can use nslookup
> nslookup
> set type=txt
> porttest.dns-oarc.net

All the linux boxes I patched are fine [yeah!] but the Solaris 10 box I did yesterday is still poor [it did ask for reboot so as soon as I do that I hope it fixes up.] You can try the nslookup under IRIX to see if your server/workstation is ok.

-Mike

Re: DNS doozy, is there a 6.5.22m fix for this?

Posted: Thu Jul 10, 2008 9:29 am
by nekonoko
Cool, my IRIX systems came back with GOOD on that test :)

Re: DNS doozy, is there a 6.5.22m fix for this?

Posted: Mon Aug 04, 2008 10:18 pm
by SAQ
It's coming up on a month - any news of a SGI patch for any IRIX version?

Re: DNS doozy, is there a 6.5.22m fix for this?

Posted: Tue Aug 05, 2008 7:37 am
by mgtremaine
"IRIX? Never heard of it." Says the SGI salesman. :)

-Mike

Re: DNS doozy, is there a 6.5.22m fix for this?

Posted: Tue Aug 05, 2008 7:56 am
by SAQ
I suppose that technically you're unlikely to run into any future issues if you install the Nekoware BIND and run links to the IRIX BIND - after all the future upgrades potential of IRIX is limited, but there's a part of me that wants to keep it as original as possible.

Re: DNS doozy, is there a 6.5.22m fix for this?

Posted: Tue Aug 05, 2008 11:18 am
by porter
I was under the impression this also required a client fix (so that the magic number in the DNS packet sent was randomized rather than incremented) so that would need a change to libc.so and/or libnsl.so.

Re: DNS doozy, is there a 6.5.22m fix for this?

Posted: Tue Aug 05, 2008 5:27 pm
by josehill
Might be worth it if a Nekochanner with a service contract opens a case just to get the scoop on when/whether there will be an official fix or a workaround. Unfortunately, I let my contract lapse a little while ago...

Re: DNS doozy, is there a 6.5.22m fix for this?

Posted: Wed Aug 06, 2008 1:07 pm
by josehill
porter wrote:I was under the impression this also required a client fix (so that the magic number in the DNS packet sent was randomized rather than incremented) so that would need a change to libc.so and/or libnsl.so.

Brief discussion of this in the OS X Leopard context at http://db.tidbits.com/article/9721 , presumably IRIX could be similar.

Re: DNS doozy, is there a 6.5.22m fix for this?

Posted: Mon Sep 29, 2008 2:42 am
by hamei
nekonoko wrote:Cool, my IRIX systems came back with GOOD on that test :)

Heh heh

Code: Select all

text = "208.67.219.13 is GREAT: 26 queries in 0.1 seconds from 26 ports with std dev 18595"