dns exploit

Chris Buxton cbuxton at menandmice.com
Sat Jul 26 06:22:16 UTC 2008 

No output indicates that the response did not contain an answer. Try  
again without the "+short" to see some indication of why. Or try again  
and see if you get a different result.

You want to see "GOOD", or you want to verify that your server is not  
offering recursion to anyone.

Chris Buxton
Professional Services
Men & Mice

On Jul 25, 2008, at 11:14 PM, Skeeve Stevens wrote:

> What should actually be the correct (good?) response (sorry for the
> ignorance)
>
>
> server{root}:3: dig porttest.dns-oarc.net txt +short @x.x.x.x
> z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
> "x.x.x.x is GOOD: 26 queries in 4.1 seconds from 26 ports with std dev
> 15514.45"
>
> Or
>
> server{root}:8: dig porttest.dns-oarc.net txt +short @x.x.x.b
> with no response
>
>
> And what do each of the responses mean?
>
> ...Skeeve
>
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]  
> On Behalf
> Of Chris Buxton
> Sent: Saturday, 26 July 2008 3:43 PM
> To: comp-protocols-dns-bind at isc.org
> Cc: dhottinger at harrisonburg.k12.va.us
> Subject: Re: dns exploit
>
> That sure seems like a lot of work when you could just:
>
> dig porttest.dns-oarc.net txt +short @server-ip
>
> For example:
>
> $ dig porttest.dns-oarc.net txt +short @217.151.171.7
> z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
> "217.151.171.7 is GOOD: 26 queries in 3.9 seconds from 26 ports with
> std dev 19886.66"
>
> Notice the word "GOOD" in the output. Also notice the standard
> deviation shown at the end - you want 5 digits before the decimal  
> point.
>
> Chris Buxton
> Professional Services
> Men & Mice
>
> On Jul 25, 2008, at 10:24 PM, Brian Keefer wrote:
>
>> On Jul 25, 2008, at 5:48 PM, Gregory Hicks wrote:
>>
>>>> Date: Fri, 25 Jul 2008 20:36:50 -0400
>>>> From: dhottinger at harrisonburg.k12.va.us
>>>> To: "comp-protocols-dns-bind at isc.org"
>>> <comp-protocols-dns-bind at isc.org>
>>>> Subject: dns exploit
>>>>
>>>> Silly question, how do I tell If Im vulnerable to the dns exploit?
>>>
>>> Run attached against your name server thusly: (You need perl...)
>>>
>>> noclicky <ns>
>>> ---------------------------------------------------------------------
>>> Gregory Hicks                           | Principal Systems Engineer
>>> Cadence Design Systems                  | Direct:   408.576.3609
>>> 555 River Oaks Pkwy M/S 9B1
>>> San Jose, CA 95134
>>
>> Hello,
>>
>> It looks like the listserv ate the attachment, so I'm not sure if the
>> version you sent was patched to work since Dan has changed his page
>> (I'd like to assume it is, but you know what assuming does...)  The
>> original noclicky wasn't written to parse the date header that Dan
>> added to the output, so if you're still using the original it will
>> _falsely_ report that you're safe.
>>
>> I've written an updated patch for noclicky-1.00.pl that you can find
>> at http://www.SMTPS.net/issues/patches.html , also pasted below.
>> Apply by doing saving this file to the same directory as
>> noclicky-1.00.pl and doing:
>> $ patch -p0 <02-noclicky.patch
>>
>> (included inline for the lazy, or the fearful of DNS cache poisoning
>> against my site)
>>
>> --- noclicky-1.00.pl    Fri Jul 25 21:15:04 2008
>> +++ noclicky-1.00p2.pl  Fri Jul 25 22:11:09 2008
>> @@ -1,7 +1,7 @@
>> #!/usr/bin/perl
>> # vim:set ts=4 sw=4 ai et:
>> #
>> -# noclicky.pl, version 1.00
>> +# noclicky.pl, version 1.00p2
>> #
>> # A command line ("non-clicky") client to query the toorrr.com
>> service to
>> # determine if a given nameserver is vulnerable to CERT
>> Vulnerability Note
>> @@ -24,6 +24,7 @@
>> my @char = ("a" .. "z", 0 .. 9);
>> my $session = join "", map { $char[rand @char] } (1 .. 12);
>> my $domain = "$session.toorrr.com";
>> +my $nodata = 0;
>>
>> sub lookup
>> {
>> @@ -64,10 +65,23 @@
>> my %ports;
>> for my $data (@data)
>> {
>> -    chomp($data);
>> -    my ($ip, $port, $txid) = split "-", $data;
>> -    print "  $ip:$port TXID=$txid\n";
>> -    $ports{$port} = 1;
>> +    if ($data =~ /^(?:\d{1,3}\.){3}\d{1,3}-\d{2,5}-\d+$/) {
>> +        chomp($data);
>> +        my ($ip, $port, $txid) = split "-", $data;
>> +        print "  $ip:$port TXID=$txid\n";
>> +        $ports{$port} = 1;
>> +    } else {
>> +        if (++$nodata > 1) {
>> +            # Brian Keefer -- chort AT smtps DOT net
>> +            die '##############################################' .
>> "\n" .
>> +                '# Uh oh, that\'s not what we were expecting!  #' .
>> "\n" .
>> +                '# Dan Kaminksy must have changed his website #' .
>> "\n" .
>> +                '# again, please check:                       #' .
>> "\n" .
>> +                '#> http://www.SMTPS.net/issues/patches.html <#' .
>> "\n" .
>> +                '# for a patch.                               #' .
>> "\n" .
>> +                '##############################################' .
>> "\n\n";
>> +        }
>> +    }
>> }
>>
>> if (keys %ports == 1) {
>>
>>
>> Hopefully that's right, but I am pretty sleepy... I did test both
>> expected and unexpected data...
>>
>> Brian Keefer
>> Sr. Systems Engineer
>> www.Proofpoint.com
>> "Defend email.  Protect data."
>>
>>
>>
>
>
>

More information about the bind-users mailing list