DNS Recursion - FAIL - Open DNS ServersDNS Server Administrators - Web Hosting Providers

Are your web servers open for DNS Recursion which in turn may expose a vulnerability for DNS Cache Poisoning? Could you be listed on the new DNS Cache Poisoner Blacklist being surveyed monthly? You don't want to be on that blacklist!

Those immediately concerned with this will be DNS Server Administrators, ISPs (Internet Service Providers), Email Service Providers (ESPs), Web Hosting Providers, and anyone who has control over DNS. This threat is real and applies to everyone (who is vulnerable) on both Windows and *NIX based DNS servers. Particularly those running BIND4/8.

Windows and Apache Servers

Windows 2000 SP3, Windows Server 2003 and modern Apache Servers may not be at risk although it is suggested that you run a DNS Report now for your domains to verify that your DNS is not open for non-authoritative recursion which in turn may expose an exploit for DNS Cache Poisoning, which in turn may expose an exploit for PPC Hijacking.

Open Resolver Test

In addition to the DNS Report, you can also run an Open Resolver Test by IP address. This open resolver tool sends a single "recursion desired" query to one or more target addresses. If the queries are forwarded to The Measurement Factory's authoritative server, the host has an open resolver running at that IP address.

Enter up to 10 IPv4 Addresses

Notes for the Open Resolver Test

BIND4 and BIND8 - DNS Forwarders

"A vulnerability has been reported in HP Tru64 UNIX, which can be exploited by malicious people to poison the DNS cache.

The vulnerability is caused due to an error in DNS BIND4 and BIND8 when they are configured to be used as the target name server for DNS forwarders. This can be exploited in DNS cache poison attacks to e.g. redirect DNS clients to malicious or spoofed websites."

How to Prevent DNS Cache Pollution for Windows Servers

For Windows Server Administrators, the following article from the Microsoft database will assist you in configuring your server to prevent DNS Cache Pollution (as MS refer to it) or DNS Cache Poisoning which are one in the same.

How to Prevent HTTP Request Smuggling for Apache Servers

Apparently modern Apache Servers have been set by default to not allow HTTP Request Smuggling. HTTP Request Smuggling is a bit different than DNS Cache Poisoning but is still considered a Cache Poisoning exploit.

"All versions of Apache previous to 2.1.6 are vulnerable to an HTTP request smuggling attack which can allow malicious piggybacking of false HTTP requests hidden within valid content. This method of HTTP Request Smuggling was first discussed by Watchfire some time ago. The issue has been addressed by an update to version 2.1.6."

HTTP Request Smuggling

There is a document available from Watchfire on the HTTP Request Smuggling, it is very enlightening and a must read for those following this topic. It can be found here...

Check the box for HTTP Request Smuggling and then submit the requested information. That's the only way you'll get to view the 23 page document which contains...

  1. Abstract
  2. Executive Summary
  3. What is HTTP Request Smuggling?
  4. What damage can HRS inflict?
  5. Example #1: Web Cache Poisoning
  6. Example #2: Firewall/IPS/IDS evasion
  7. Example #3: Forward vs. backward HRS
  8. Example #4: Request Hijacking
  9. Example #5: Request Credential Hijacking
  10. HRS techniques
  11. Protecting your site against HRS
  12. Squid
  13. Check Point FW-1
  14. Final note regarding solutions

A must read for all!

Attention Server Administrators - DNS Admins - Web Hosting Providers

Many of you are hating us right now. That's fine. You cannot continue to jeopardize the Internet as a whole by allowing this type of non-authoritative DNS Recursion to take place on your DNS servers. If you fail the DNS Report for Open DNS Servers, you need to fix that problem today. Not tomorrow. Not next week. And surely not ever. You may be placing your clients at risk by not correcting this issue immediately. And, think about this, if you are a U.S. based ISP, ESP, etc., you can be assured that someone will find a way to litigate these issues.

Instead of being Reactive on this issue, you need to be Proactive. The government has a document available for your viewing below. It contains everything you need to know concerning the potential threat this causes. Out of 1.3 million servers polled, 75% allowed for DNS recursion. How much of that 75% is being used for DNS Cache Poisoning and other miscreant exploits? That is a very scary thought!


SEO Consultants Directory