 |
 |
| ActiveWin | Anonymous | Create a User | Reviews | News | Forums | Advertise | VBA in Excel | Users Online: 0 |
|
|
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
Active Network |
|
ActiveMac |
|
ActiveWin |
|
ActiveXbox |
|
DirectX |
|
Downloads |
|
FAQs |
|
Interviews |
|
MS Games & Hardware |
|
Reviews |
|
Rocky Bytes |
|
Support Center |
|
TopTechTips |
|
Windows 2000 |
|
Windows Me |
|
Windows Server 2003 |
|
Windows Vista |
|
Windows XP |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
Apple/Mac |
|
Xbox/Xbox 360 |
|
News Search |
|
XML/RSS Newsfeeds |
|
Pocket PC Site |
|
|
|
|
|
|
|
FAQ's |
|
Windows Vista |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows Server 2003 |
|
Windows XP |
|
Windows 7 |
|
Windows 8 |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox 360 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
Latest Reviews |
|
Xbox/Games |
|
Fable 2 |
|
|
|
Applications |
|
Windows Server 2008 R2 |
|
Windows 7 |
|
Adobe CS5 Master Collection |
|
|
|
Hardware |
|
Microsoft Express Mouse |
|
|
|
|
|
|
|
Latest Interviews |
|
Mike Swanson |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Advertise |
|
Affiliates |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
 |
Details on DNS flaw inadvertently leaked; researcher says patch now | |
|
||
| Time: 00:04 EST/05:04 GMT | News Source: BetaNews | Posted By: Kenneth van Surksum | ||
|
The cat is out of the bag before Black Hat. That isn't a passage from a Dr. Seuss children's book, but a description of what happened on Monday when a Web site accidentally posted details about a DNS flaw uncovered by security researcher Dan Kaminsky earlier this month.
|
||
|
Read Only Comments Return to News |
Displaying Comments 1 through 5 of 5 |
This is an archived static copy of ActiveWin.com. |
| #1 By 23275 (68.186.182.236) at Wednesday, July 23, 2008 04:59:04 AM |
|
Well... this cat is out of the bag.
AD DNS operators that do not have recursion enabled, and do not face the public Internet relax - you had a patch a good bit ago (along with most other DNS types). This applies most to operators of "Host Named" DNS servers like our own .41 and .42 that are authoritative delegates for assigned address spaces (forward and reverse delegate authorities) and that do have recursion enabled - simply, open to the public networks. Patching is not enough. "IF" your host named DNS server "WAS" behind a NAT and your firewall manufacturer does not have a work-around, or a patch, the NAT device itself can leave the Host Named DNS vulnerable. You'll have to move your Host Named DNS servers into the DMZ and in front of a NAT device, or the device itself will return patterned, or predictable port numbers and make vulnerable an otherwise patched DNS server. It's a mess now, but happily, people have been cooperating for many months and patches are available. However, architectural changes have to be made in many cases. If you have not patched, do so now. If your Host Named DNS with Recursion Enabled is behind a NAT, move it to the DMZ. |
| #2 By 54556 (67.131.75.22) at Wednesday, July 23, 2008 11:34:12 AM |
| Good point Llyod. Its a pity that the BetaNews coverage was not complete enough to point out the NAT implications to the workarounds that are being distribeduted as patches. |
| #3 By 23275 (68.186.182.236) at Wednesday, July 23, 2008 12:54:51 PM |
|
#2, Yes, it was/is potentially very confusing for people. Our own case is representative of what can happen. When I first discussed this with our team, the immediate reply was, "we're patched up and god to go"
That didn't seem right to me - as we had an edge firewall ahead of our split DNS Authoritative Host Named DNS Servers). I ordered more tests and sure enough, returns from behind the NAT device, regardless of one to one publishing rules (e.g., no proxy at all, but a straight pass-through), reflected unique TXT ID's; however, the ports being assigned by the NAT were sequential (bad news). So we had to plan to move things and not use NAT to protect the D-DNS servers. We tested again and both ports and TXT ID's were random (as they should be). BTW, I should have provided this test link in my first post, http://www.doxpara.com there is a check my DNS button - for all users/public host named DNS operators with recursion enabled, please ensure that your systems return no discernable patterns. |
| #4 By 9589 (76.6.29.196) at Wednesday, July 23, 2008 03:49:51 PM |
|
Lloyd, thank you for including the web site above in your discussion.
jdh |
| #5 By 9589 (76.6.29.196) at Wednesday, July 23, 2008 03:50:18 PM |
|
Double post . . . This post was edited by jdhawk on Wednesday, July 23, 2008 at 15:50. |
