An alliance of software makers and network-hardware vendors announced on Tuesday that they had banded together to fix a fundamental flaw in the design of the internet's address system. The vulnerability in the domain name system (DNS) - the distributed database that matches a host and domain name with the numerical address of a …
Were many firewall vendors involved in this? I ask because ZoneAlarm was broken by the update, and their forums are now filled with people reporting that they can't connect.
How can the post to the forum if they can't connect? *grin*
The firewall issue was a secondary problem - changing the behaviour of the DNS "application" means that certain tuned firewall rules will break.
There's no reason why they should necessarily have had pre-warning - although it would probably make sense for them to get onto a beta for patches from Microsoft or something so that they can find the problem before their users...
Not All Smooth Sailing
While the action is welcome and overdue, the MS update (KB951748) for this problem brought its own issues to users who emply the popular Zone Alarm Firewall. A conflict between the two stops all internet access unless ZA is reset or a further update comes along.
These DNS bugs ignored since 2001 but fixed by some products
There has been at least one well-respected DNS implementation available since 2001 that addresses these issues, specifically djbdns.
From its blurb (http://cr.yp.to/djbdns/blurb/security.html):
- dnscache uses a cryptographic generator to select unpredictable port numbers and IDs.
- dnscache is immune to cache poisoning.
It seems that the major DNS implementations have been aware of these issues since around that time, but haven't bothered to address them until now.
ZA firewall issue confirmed here
It seems that the MS Update does definitely knock out Windows XP systems running ZoneAlarm. Nice update testing by Microsoft as per usual.
DJB pointed this out in 2001
... and there's ample evidence of his having repeatedly pointed it out.
My take on this: http://bahumbug.wordpress.com/2008/07/09/sensationalist-humbug/
Only one other nation, mind
> Finally, the Computer Emergency Response Team (CERT)
> Coordination Center has contacted some other nation's response
> groups to inform them of the problem.
Which other nation?
Or do you mean some other nations' response groups?
Mini to the rescue
Actually, i had to post my comment with Opera Mini :D. Zone Alarm wouldn't even connect to my router. I wonder how many of the screaming hordes on the forums did the same
There are papers on this dating back *ten years*...
Admitedly that deals with weak ID prediction rather than source-port spoofing, but still.
@ZA firewall issue confirmed here
I use an older, free version of ZA and I had no problem after applying the MS patchs last night beyond having to reconfirm that it was OK for Outlook to access the various zones.
I Feel Betrayed
I like BIND, I really do. It's functional, multipurpose, adaptable and well-documented. A bit buggy, it's true, but it does what I want in the way I want in the way that no other nameserver I've tried (djbdns, MaraDNS) does. It's like Sendmail - not ellegant, but lovely for its functionality and close to administrators' hearts. But to find that after all these years they still haven't figured out a way to generate different queries with unique IDs and source ports using a genuine cryptographically-secured RNG is just bloody ridiculous. Of course, it won't stop me from using BIND. Or Sendmail. Or thttpd (which has had a couple of low-profile flaws). I guess functionality and ease of administration *do* matter, however much you care about security - and I do care, certainly enough to keep it simple whenever I can (vsftpd, Dovecot, Dillon's Cron, OpenNTPD, etc).
Update knocked out my........
Add /Remove programs option in XP Pro. I do not now have the option to remove any programs via control panel. Anyone else have this ????. It also did effect
my ability to access net because it had changed a setting on ZoneAlarm version
zlsSetup_70_470_000_en Way I fixed it was simply change the "Internet Zone Security" to "Medium" as it was on "high" (whether updated changed it dont know).
Anyone know anymore as to why the Add/remove programs would be effected ,as it definately has been ??
I am utterly astonished that you actually prefer BIND over DJBDNS. The latter is far simpler to configure than the former, and never misses a beat regardless of load.
Apart from that, BIND has deliberately not conformed to certain RFCs - a practice which hardly makes it 'close to administrators hearts'.
Not just Zonealarm?
The update has already been widely reported in tech forums to screw up Zonealarm. I use this on my home PC, and spent some time trying to figure out how to get back on - including talking with my ISP tech support. Worryingly, even after an msconfig to do a clean start-up, I couldn't even browse with Windows Firewall on until I started and then shut down Zonealarm.
And even more worringly seemingly turning off Windows Firewall first for a moment made no difference.
Watch this space, I fear.
So every one agrees that there is a problem with DNS, MS update breaks a crappy product and you say MS didnt do enough testing ?? Um so your saying its not the fact that a group a vendors got to gather and changed how DNS works that broke ZA, but MS crappy programing. Did you ever take into account that it was what they changed in DNS that broke ZA.
I'm no fan of MS, but please place the blame were it belongs. I mean a change in a standards can break any thing that relied on the old standard.
Not the success story it appears to be
This is not as grand a success as it appears to be. The solution has been known since 1999, it is just that nobody bothered to implement it. See http://blog.netherlabs.nl/articles/2008/07/09/some-thoughts-on-the-recent-dns-vulnerability
Why this, why now?
So I have a theory on what it is that Dan Kaminsky may have discovered that is broken with DNS.
Basically it has to do with ICMP packets (spoofed ICMP unreachable response packets sent to the recursor in order to prevent it communicating with the real nameserver - or similarly sent to the real authorative nameservers to prevent them talking to the recursor).
The biggest difficulty with spoofing DNS at the moment is that you need to silence the real nameservers in order to get your fake replies in.
ICMP packets are sent in response to other IP packets. For an ICMP response to be valid, it must contain the IP header of the packet it is a reponse too, but it also must contain 64bits of the data payload. The reason for requiring 64bits of the payload is to prevent people from spoofing ICMP replies to packets they have not received. In the case of a DNS packet, that payload is the first 64 bits of the UDP header.
What is in the first 64bits of the UDP header? The source and destination ports of the DNS servers. If these are easily predictable then you can spoof ICMP.
If you can spoof ICMP; You can prevent the recursor from communicating with the real nameserver by sending an ICMP unreachable. This will make it very very easy to spoof DNS as it removes the biggest hurdle; that of silencing the real nameservers. It only takes about 2min on a 10mbit/s connection to run through all 65536 possible sequence numbers so if you can prevent the recursor from talking to the real nameservers it really is easy as pie.