nanog mailing list archives

Re: new DNS forwarder vulnerability

From: Laszlo Hanyecz <laszlo () heliacal net>
Date: Sat, 15 Mar 2014 16:36:09 +0000

Good question, but the reality is that a lot of them are this way.  They just forward everything from any source.  
Maybe it was designed that way to support DDoS as a use case.

Imagine a simple iptables rule like -p udp --dport 53 -j DNAT --to 4.2.2.4
I think some forwarders work this way - the LAN addresses can be reconfigured and so it's probably easier if the rule 
doesn't check the source address.. or maybe it was designed to work this way on purpose, because it's easy to explain 
as a 'bug' or oversight, rather than deliberate action.  Of course, it's crazy to think that some person or 
organization deliberately did this so they would have a practically unlimited amount of DoS sources.

-Laszlo


On Mar 15, 2014, at 4:26 PM, Gary Baribault <gary () baribault net> wrote:

Why would a CPE have an open DNS resolver from the WAN side?

Gary Baribault

On 03/14/2014 12:45 PM, Livingood, Jason wrote:

Well, at least all this CPE checks in for security updates every night so
this should be fixable. Oh wait, no, nevermind, they don't. :-(


This is getting to be the vulnerability of the week club for home gateway
devices - quite concerning.

JL

On 3/14/14, 12:05 PM, "Merike Kaeo" <merike () doubleshotsecurity com> wrote:

On Mar 14, 2014, at 7:06 AM, Stephane Bortzmeyer <bortzmeyer () nic fr>
wrote:

On Fri, Mar 14, 2014 at 01:59:27PM +0000,
Nick Hilliard <nick () foobar org> wrote
a message of 10 lines which said:

did you characterise what dns servers / embedded kit were
vulnerable?

He said "We have not been able to nail this vulnerability down to a
single box or manufacturer" so it seems the answer is No.



It is my understanding  that many CPEs work off of same reference
implementation(s).  I haven't
had any cycles for this but with all the CPE issues out there it would be
interesting to have
a matrix of which CPEs utilize which reference implementation.  That may
start giving some clues.

Has someone / is someone doing this?

- merike

Current thread:

new DNS forwarder vulnerability Mark Allman (Mar 14)
- Re: new DNS forwarder vulnerability Nick Hilliard (Mar 14)
  - Re: new DNS forwarder vulnerability Stephane Bortzmeyer (Mar 14)
    - Re: new DNS forwarder vulnerability Merike Kaeo (Mar 14)
    - Re: new DNS forwarder vulnerability Nick Hilliard (Mar 14)
    - Re: new DNS forwarder vulnerability Livingood, Jason (Mar 14)
    - Re: new DNS forwarder vulnerability Gary Baribault (Mar 15)
    - Re: new DNS forwarder vulnerability Joe Greco (Mar 15)
    - Re: new DNS forwarder vulnerability Laszlo Hanyecz (Mar 15)
    - Re: new DNS forwarder vulnerability Paul Ferguson (Mar 15)
    - Re: new DNS forwarder vulnerability Wayne E Bouchard (Mar 14)
    - Re: new DNS forwarder vulnerability Jimmy Hess (Mar 15)