Update Your System To Prevent DNS Exploits

By Dan Morrill
Expert Author
Article Date: 2008-08-25

HD Moore has released an exploit module for the Metasploit framework, meaning script kiddies and every other security person and wanna be is going to be downloading, if they have not already, and are playing around with DNS on the internet today.

While meltdowns are probably not going to happen, individual cases of having the DNS server they use compromised are probably pretty good, and explains why the internet seems to be slow today here on the network that I am using. Bringing up snort, there seems to be many DNS packets just floating around the network, with many non-authoritative responses to go with them.
This exploit targets a fairly ubiquitous flaw in DNS implementations which allow the insertion of malicious DNS records into the cache of the target name server. This exploit caches a single malicious host entry into the target name server. By causing the target name server to query for random hostnames at the target domain, the attacker can spoof a response to the target server including an answer for the query, an authority server record, and an additional record for that server, causing target name server to insert the additional record into the cache. Source: Caughq.org
What is also amusing is the number of reactions about how this should not have been released at all, but as with all exploits, there has been time to patch systems. And patches have been released on just about everything that is still in use. These kinds of major exploits, while getting rarer, are always good to do a little patch management to fill in the gaps when there are hacks this big in terms of the damage that can be done.

If you think that your DNS server is vulnerable, you can test your server here, and it will show if your server is vulnerable, it will also show you if there is something weird going on. When I checked my DNS server, the reported unusual behavior list was cool to see.

82641ff36f57.toorrr.com: TXID=61158 TXID=34815 TXID=17062 TXID=17547 TXID=16754

The toorrr.com is a private system from Dan Kaminsky, not sure, if he meant to leave this page open so that people could swing by and take a look. There is some amusement here if the page toorrr.com was meant to be a private space. Worth checking out though, and make sure you are patched today.


About the Author:
Dan Morrill has been in the information security field for 18 years, both civilian and military, and is currently working on his Doctor of Management. Dan shares his insights on the important security issues of today through his blog, Managing Intellectual Property & IT Security, and is an active participant in the ITtoolbox blogging community.


Send me relevant info on
products and services.