Date: Fri, 31 Dec 1999 13:00:35 -0700 From: Kurt Seifried <listuser@SEIFRIED.ORG> Subject: DNS spoofing/registering/etc To: BUGTRAQ@SECURITYFOCUS.COM Seems there are some people re-registering DNS domains/etc. Thought this was appropriate. http://www.securityportal.com/closet/ DNS insecurity Kurt Seifried, seifried@seifried.org, for http://www.securityportal.com/ This article was meant for January 12, 2000 but SANS posted an item about it being a problem so I thought I'd get it out the door. December 31, 1999 - So you've got your DNS servers locked down, running the latest greatest BIND code as a non-root user, in a chrooted environment and life is pretty good. Until you go to your website and are faced with child porn. So you take the web server(s) down and use your write protected bootable tripwire disks, and everything checks out ok. No files have been deleted or modified, all the web content is there, it's all normal. Bring the server back up, make sure everything is running, and you go back to the URL, child porn. You put the IP address into your web browser, you get the normal site ("Widget's R US"). (Actors voice similar to that guy on America's Most Wanted): What you just read was a re-creation of an event that may have happened to someone. It could happen to you to! Malicious script-kiddies (this does not require any skill or much intelligence) changed your DNS records and "hijacked" the domain. To confuse matters they also changed the registrar and points of contact, resulting in a significant delay while getting everything sorted out. DNS names are centrally registered, usually via a web based form or email. The authentication typically used is "mail from", that is if a request for changes arrives from the right email address, the changes are made (and we all know that email spoofing is trivial). To combat this you can configure it to require an acknowledgement, however a mildly competent attacker will simply forge an acknowledgement, and possibly flood your mail server (or your account) with bogus email to prevent you from seeing the message (that you might send a reply back saying "don't"). Unfortunately this system worked quite well for a long time, domain names have only become popular lately, especially with E-commerce and so on taking place, as well the Internet community was, generally speaking, less malicious. SANS has been running an incident reporting website for a week now, people email in logs/incident reports, etc and SANS posts them up. There is an advisory (not an actually advisory per se, but a strong warning none the less) at: http://www.sans.org/y2k/123199-1305.htm regarding this problem. Using the guardian scheme with Network Solutions (those wonderful people that spammed me, sorry but I had to say it) is relatively simple, go to the contact form at: http://www.networksolutions.com/cgi-bin/makechanges/itts/handle and enter your contact handle, email address and click modify. The next screen will ask you to choose your authentication method, the simplest is the crypt password scheme, you simple enter a password which is cyrpt()'ed, to change DNS records/etc in the future you must enter that password. This is definitely better then nothing, and it will slow an attacker down, however you are still vulnerable to someone monitoring your email and capturing it, as a determined attacker would do. The other alternative is to use PGP, unfortunately their system only supports older versions of PGP, and the keyserver is abysmally slow. However with a little patience you can add your key, the procedure is covered at: http://www.networksolutions.com/help/guardian.html and basically consists of emailing a key to PGPREG@NETWORKSOLUTIONS.COM, putting "add" in the subject line, and the key in the body of the message. Once that is successfully registered you can then specify that key for use with the guardian scheme. You will be required to PGP sign all changes, making it very secure (even if an attacker eavesdrops they won't be able to forge messages). Like many things, people have been complacent about DNS security, because it has not been a real problem in past. TImes are changing however and the Internet is turning into a pretty dangerous environment. You need to protect yourself, and the guardian scheme will let you do so effectively. Kurt Seifried (seifried@seifried.org) is a security analyst and the author of the "Linux Administrators Security Guide", a source of natural fiber and Linux security, part of a complete breakfast. Related links: DNS security - closing the b(l)inds: http://www.securityportal.com/closet/closet19990929.html Kurt Seifried http://www.seifried.org/ http://securityportal.com/lasg/ http://securityportal.com/closet/ My public keys are available at: http://www.seifried.org/keys/ http://www.pgpi.org/ - recommended for Windows http://www.gnupg.org/ - recommended for UNIX http://www.pgp.com/ - recommended for commercial use