Are your web servers open for DNS Recursion which in turn may expose a vulnerability for DNS Cache Poisoning? Could you be listed on the new DNS Cache Poisoner Blacklist being surveyed monthly? You don't want to be on that blacklist!
Those immediately concerned with this will be DNS Server Administrators, ISPs (Internet Service Providers), Email Service Providers (ESPs), Web Hosting Providers, and anyone who has control over DNS. This threat is real and applies to everyone (who is vulnerable) on both Windows and *NIX based DNS servers. Particularly those running BIND4/8.
Windows 2000 SP3, Windows Server 2003 and modern Apache Servers may not be at risk although it is suggested that you run a DNS Report now for your domains to verify that your DNS is not open for non-authoritative recursion which in turn may expose an exploit for DNS Cache Poisoning, which in turn may expose an exploit for PPC Hijacking.
In addition to the DNS Report, you can also run an Open Resolver Test by IP address. This open resolver tool sends a single "recursion desired" query to one or more target addresses. If the queries are forwarded to The Measurement Factory's authoritative server, the host has an open resolver running at that IP address.
"A vulnerability has been reported in HP Tru64 UNIX, which can be exploited by malicious people to poison the DNS cache.
The vulnerability is caused due to an error in DNS BIND4 and BIND8 when they are configured to be used as the target name server for DNS forwarders. This can be exploited in DNS cache poison attacks to e.g. redirect DNS clients to malicious or spoofed websites."
For Windows Server Administrators, the following article from the Microsoft database will assist you in configuring your server to prevent DNS Cache Pollution (as MS refer to it) or DNS Cache Poisoning which are one in the same.
"DNS cache pollution can occur if Domain Name System (DNS) "spoofing" has been encountered. The term "spoofing" describes the sending of non-secure data in response to a DNS query. It can be used to redirect queries to a rogue DNS server and can be malicious in nature."
"After you enable this setting, the DNS server ignores DNS resource records that come from servers that are not authoritative for them. Although it can cause extra DNS queries, the security benefits far outweigh the cost of the extra queries, so enabling DNS cache pollution protection is highly recommended."
Apparently modern Apache Servers have been set by default to not allow HTTP Request Smuggling. HTTP Request Smuggling is a bit different than DNS Cache Poisoning but is still considered a Cache Poisoning exploit.
"All versions of Apache previous to 2.1.6 are vulnerable to an HTTP request smuggling attack which can allow malicious piggybacking of false HTTP requests hidden within valid content. This method of HTTP Request Smuggling was first discussed by Watchfire some time ago. The issue has been addressed by an update to version 2.1.6."
There is a document available from Watchfire on the HTTP Request Smuggling, it is very enlightening and a must read for those following this topic. It can be found here...
Check the box for HTTP Request Smuggling and then submit the requested information. That's the only way you'll get to view the 23 page document which contains...
A must read for all!
Many of you are hating us right now. That's fine. You cannot continue to jeopardize the Internet as a whole by allowing this type of non-authoritative DNS Recursion to take place on your DNS servers. If you fail the DNS Report for Open DNS Servers, you need to fix that problem today. Not tomorrow. Not next week. And surely not ever. You may be placing your clients at risk by not correcting this issue immediately. And, think about this, if you are a U.S. based ISP, ESP, etc., you can be assured that someone will find a way to litigate these issues.
Instead of being Reactive on this issue, you need to be Proactive. The government has a document available for your viewing below. It contains everything you need to know concerning the potential threat this causes. Out of 1.3 million servers polled, 75% allowed for DNS recursion. How much of that 75% is being used for DNS Cache Poisoning and other miscreant exploits? That is a very scary thought!