The ol’ Switcheroo, DNS-style.
Posted on December 8th, 2008
Here we go again, another little tip for you all. This time it’s about correcting what is a very common exploit in the BIND DNS daemon.
So first, a little backstory as to the idea behind the exploit. It’s based around the idea of DNS Cache Poisoning. What is DNS Cache Poisoning? Well, to put it simply, it all works like so:
tuxotaku.com (the victim/target) resolves to 205.234.198.154
l33th4x0r-sk1dd13.com (the attacker) resolves to 66.225.102.54
the attacker uses an exploit in the nameserver for the target to point all traffic from that domain to his IP, so that anyone going to tuxotaku.com sees the attacker’s website instead. Also any mail coming from the attacker’s IP would also show up as coming from the victim’s hostname (in this case, tuxotaku.com).
So how do we prevent this? If you use BIND as your DNS Daemon, you only need add the following to either the options{} section of named.conf or named.conf.options (depending on your distro):
// version statement for security to avoid
// hacking known weaknesses
version “get lost”;
// optional – disables all transfers –
// slaves allowed in zone clauses
allow-transfer {“none”;};
// optional – disable all recursive queries
allow-recursion {“none”;};
recursion no;
So what exactly does this do? Well for one, it disables recursive queries. Recursive DNS queries can be used to facilitate “man-in-the-middle” style attacks such as DNS Cache Poisoning. It also plants a “version mask” that disguises the version of Bind that you are using, thus making it harder for hackers to pinpoint version-specific exploits.
Another way to avoid Recursion-related exploits is to use a security-hardened nameserver daemon such as NSD or djbdns.
Wikipedia, as always, has a nice, quick and dirty comparison of nameserver daemons, their featuresets, and security-related issues.