Re: regarding the critical DNS protocol vulnerability

[Russ Harvey <russ-harvey () UCR EDU>]

On Fri, Jul 11, 2008 at 03:39:59PM +1200, Russell Fulton wrote:
> On 11/07/2008, at 2:30 AM, Doug Pearson wrote:
> > Wednesday, 2008-07-09:
> >
> > Regarding ability to use the Doxpara tool in an automated fashion:
> >
> > Someone on NANOG came up with a perl wrapper that can be directed
> > at a specified DNS server.
> >
> > http://mailman.nanog.org/pipermail/nanog/2008-July/001966.html
>
> I have hacked this script so it reads output from nmap -oG (see the
> comment at the start of the script).   Nmap found nearly 100 addresses
> responding on tcp 53 but only a small fraction of these appear to be
> running name servers.  Most timed out when the script tried to make
> queries to them.  This slows things down enormously as the timeout is a
> couple of minutes so the script took an hour or so to run.
>
> The good news is that nearly all of our name servers are now fixed and
> there are a few more that will be rebooted over the weekend.
>
> Russell
Unfortunately the ISC fixes we tried for BIND did not work. We are running
9.4.1-P1 so first went to 9.4.2-P1, then 9.5.0-P1, then 9.5.1b1. We found
either exhausted file descriptors, EDNS handling bugs, or just plain poor
performance. We are back to 9.4.1-P1.

Anyone else having problems with patching BIND for this problem?

Thanks,
--russ

> #!/usr/bin/perl
> # vim:set ts=4 sw=4 ai et:
> #
> # noclicky.pl, version 1.00
> #
> # A command line ("non-clicky") client to query the toorrr.com service to
> # determine if a given nameserver is vulnerable to CERT Vulnerability Note
> # VU#800113 DNS Cache Poisoning attacks.  Based entirely on Dan Kaminsky's
> # JavaScript client, at <http://www.doxpara.com/>.  Updates are available
> # from <http://michael.toren.net/code/noclicky/>.
> #
> #   -- Michael C. Toren <mct () toren net>
> #      Tue Jul  8 21:59:10 PDT 2008
> #
> # hacked by Russell Fulton <r.fulton () auckland ac nz> Fri Jul 11th
> # read nmap output "sudo nmap -sS -T5 -p 53 -open -oG dns.scan xxx.yyy.0.0/16"
> # perl noclicky.pl dns.scan
> #
> #sudo nmap -sS -T5 -p 53 -oG -  xxx.yyy.0.0/16 | perl noclicky.pl *may* also work but but hung on my Mac ??
> #
>
>
> use Net::DNS;
> use LWP::UserAgent;
>
> use strict;
> use warnings;
>
> my $quiet = 1;    # set to '0' or undef if you want lots of output
>
> my @char = ("a" .. "z", 0 .. 9);
>
> sub lookup
> {
>     my $nameserver = shift;
>     my $domain = shift;
>     my $res = new Net::DNS::Resolver (nameservers => [$nameserver], recurse => 1)
>         or die "Net::DNS::Resolver constructor failed?";
>
>     my $query = $res->search($domain);
>     if( !$query ) {
>         print "DNS lookup failed: ", $res->errorstring, "\n";
>       return undef;
>     }
>
>     for my $rr ($query->answer)
>     {
>         return $rr->address if $rr->type eq "A";
>     }
>     print  "DNS lookup failed: $domain has no 'A' record?\n";
>     return undef;
> }
>
>
> while(  <> ) {
>     next if /^\s*#/;
>     next unless /open/;
>     chomp;
>     my ($nameserver) = /^Host: (\S+) /;
>
>      my $session = join "", map { $char[rand @char] } (1 .. 12);
>      my $domain = "$session.toorrr.com";
>
>     print "$nameserver - Testing nameserver: ";
>
>     print "Looking up $domain against $nameserver\n" unless $quiet;
>     my $ip = lookup( $nameserver, $domain);
>
>     next unless defined $ip;
>
>     print "Fetching http://$ip/fprint/$session\n"; unless $quiet;
>     my $agent = new LWP::UserAgent;
>     my $response = $agent->get("http://$ip/fprint/$session";,
>     Host => $domain, "Content-Type" => "application/x-javascript");
>     if( ! $response->is_success ) {
>       print "Failed: ", $response->status_line, "\n" ;
>       next;
>     }
>     my @data = split ",", $response->content;
>     if( @data < 6) {
>       print "Oops, I was expecting more comma separated data than I found\n";
>       next;
>     }
>     my $first = shift @data;
>     if( $first ne $domain ) {
>       print "Oops, fetched data was for session '$first', not $domain?\n";
>       next;
>     }
> #
>     print "Requests seen for $domain: " unless $quiet;
>
>     my %ports;
>     for my $data (@data)
>     {
>       chomp($data);
>       my ($ip, $port, $txid) = split "-", $data;
>     print "  $ip:$port TXID=$txid\n" unless $quiet;
>       $ports{$port} = 1;
>     }
>
>     if (keys %ports == 1) {
>       print "Your nameserver appears vulnerable; all requests came from the same port.\n";
>     } else {
>       print "Your nameserver appears to be safe\n";
>     }
> }

>