a/dnsinsecurity

Date:         Fri, 31 Dec 1999 13:00:35 -0700
From: Kurt Seifried <listuser@SEIFRIED.ORG>
Subject:      DNS spoofing/registering/etc
To: BUGTRAQ@SECURITYFOCUS.COM

Seems there are some people re-registering DNS domains/etc. Thought this was
appropriate.

http://www.securityportal.com/closet/

DNS insecurity

Kurt Seifried, seifried@seifried.org, for http://www.securityportal.com/

This article was meant for January 12, 2000 but SANS posted an item about it
being a problem so I thought I'd get it out the door.

December 31, 1999 - So you've got your DNS servers locked down, running the
latest greatest BIND code as a non-root user, in a chrooted environment and
life is pretty good. Until you go to your website and are faced with child
porn. So you take the web server(s) down and use your write protected
bootable tripwire disks, and everything checks out ok. No files have been
deleted or modified, all the web content is there, it's all normal. Bring
the server back up, make sure everything is running, and you go back to the
URL, child porn. You put the IP address into your web browser, you get the
normal site ("Widget's R US").

(Actors voice similar to that guy on America's Most Wanted): What you just
read was a re-creation of an event that may have happened to someone. It
could happen to you to! Malicious script-kiddies (this does not require any
skill or much intelligence) changed your DNS records and "hijacked" the
domain. To confuse matters they also changed the registrar and points of
contact, resulting in a significant delay while getting everything sorted
out.

DNS names are centrally registered, usually via a web based form or email.
The authentication typically used is "mail from", that is if a request for
changes arrives from the right email address, the changes are made (and we
all know that email spoofing is trivial). To combat this you can configure
it to require an acknowledgement, however a mildly competent attacker will
simply forge an acknowledgement, and possibly flood your mail server (or
your account) with bogus email to prevent you from seeing the message (that
you might send a reply back saying "don't"). Unfortunately this system
worked quite well for a long time, domain names have only become popular
lately, especially with E-commerce and so on taking place, as well the
Internet community was, generally speaking, less malicious.

SANS has been running an incident reporting website for a week now, people
email in logs/incident reports, etc and SANS posts them up. There is an
advisory (not an actually advisory per se, but a strong warning none the
less) at:

http://www.sans.org/y2k/123199-1305.htm

regarding this problem.

Using the guardian scheme with Network Solutions (those wonderful people
that spammed me, sorry but I had to say it) is relatively simple, go to the
contact form at:

http://www.networksolutions.com/cgi-bin/makechanges/itts/handle

and enter your contact handle, email address and click modify. The next
screen will ask you to choose your authentication method, the simplest is
the crypt password scheme, you simple enter a password which is cyrpt()'ed,
to change DNS records/etc in the future you must enter that password. This
is definitely better then nothing, and it will slow an attacker down,
however you are still vulnerable to someone monitoring your email and
capturing it, as a determined attacker would do.

The other alternative is to use PGP, unfortunately their system only
supports older versions of PGP, and the keyserver is abysmally slow. However
with a little patience you can add your key, the procedure is covered at:

http://www.networksolutions.com/help/guardian.html

and basically consists of emailing a key to PGPREG@NETWORKSOLUTIONS.COM,
putting "add" in the subject line, and the key in the body of the message.
Once that is successfully registered you can then specify that key for use
with the guardian scheme. You will be required to PGP sign all changes,
making it very secure (even if an attacker eavesdrops they won't be able to
forge messages).

Like many things, people have been complacent about DNS security, because it
has not been a real problem in past. TImes are changing however and the
Internet is turning into a pretty dangerous environment. You need to protect
yourself, and the guardian scheme will let you do so effectively.

Kurt Seifried (seifried@seifried.org) is a security analyst and the author
of the "Linux Administrators Security Guide", a source of natural fiber and
Linux security, part of a complete breakfast.

Related links:

DNS security - closing the b(l)inds:

http://www.securityportal.com/closet/closet19990929.html

Kurt Seifried
http://www.seifried.org/
http://securityportal.com/lasg/
http://securityportal.com/closet/

My public keys are available at:
http://www.seifried.org/keys/
http://www.pgpi.org/ - recommended for Windows
http://www.gnupg.org/ - recommended for UNIX
http://www.pgp.com/ - recommended for commercial use