I will start by highlighting a couple of links, to try and persuade you that there is a real security problem here.

"One of Brazil's biggest banks has suffered an attack that redirected its
customers to fraudulent websites that attempted to steal passwords and
install malware, according to an unconfirmed report."

http://www.theregister.co.uk/2009/04/22/bandesco_cache_poiso...

" 'An attack might be possible in five hours with the patch. That's much
better than the minutes an attack might have taken before but systems are
still not really protected. IT's bought time without solving the underlying
problem,' Mockapetris told El Reg.

Mockapetris helped invent the DNS system in the 1980s. The original
intention was to get systems up and running and add security features later
but the process has proved far more protracted than he ever imagined.
Mockapetris now reckons DNSSec might eventually be applied in 2015 but given
he said five years ago that the technology would be "ubiquitous" by 2008 we
ought to treat such predictions with caution."

http://www.theregister.co.uk/2008/11/12/mockapetris_intervie...

Ok. About last August, I became aware of the DNS spoofing problem, and became concerned/interested. I came across this http://www.kb.cert.org/vuls/id/800113

I realised that the only way to properly fix this security hole was to write a secure resolver, that is not susceptible to spoofing. I spent a few hours over my summer holiday developing such a resolver. My initial ideas were not quite right, but over the next few months I refined them into what I felt is a now good working solution.

This post is really a call for suggestions on what next. My social consience is telling me that since other people are still wide open to this source of insecurity, and I should make some effort to remedy the situation.

A few thoughts I have had:

(1) I would like a small number of people to test the software further. I have been using it myself, and at the company for which I work, for about 6 months, but would like a wider test. Installing the program only takes about 2 minutes ( for most machines - old machines may need Microsoft .NET runtime support to be installed as a prerequisite ). You will then have a PC not vulnerable to DNS spoofing.

(2) After that, I think some publicity might be appropriate.

(3) Maybe ISPs could be encouraged to upgrade their caches. Since most of these will be running Unix variants and not Windows, the software I have written will need to be ported to Unix. I haven't programmed for Unix for over 20 years, and don't run any Unix boxes, so I'm not well placed here.

(4) Maybe software vendors could be encouraged to upgrade their DNS resolvers ( e.g. Microsoft, ISC BIND ) to be safe. Maybe someone could write a "patch" for BIND.

(5) Maybe Banks/Financial institutions could be contacted to add weight to such a campaign.

The project web page ( which is non-profit, public domain free software ) is :

http://www.george-barwood.pwp.blueyonder.co.uk/DnsServer/

Anyway, please let me know what you think, questions, suggestions, whether you might be interested, etc.

Best Regards,
George

According the the linked article at http://www.kb.cert.org/vuls/id/800113, at least OpenDNS is not vulnerable.

So presumably, since my router uses OpenDNS rather than my ISP's DNS, I'm safe.

I suspect this is a simpler solution than implementing a new resolver... or have I missed something?

chas

Unfortunately OpenDNS is vulnerable, even though it has been patched.

Before the patch, an attack succeeds in just a few seconds.

After the patch, an attack takes maybe 8 hours ( as the Mockapetris interview indicates ).

http://www.theregister.co.uk/2008/11/12/mockapetris_intervie...

So the vulnerability is still very much there.

The standard patch ( which is to use source port randomisation ) gains some protection, but cannot be described as secure.

It's especially nasty, because poisoning a cache allows thousands of users to be compromised at one go. The implications ( expounded at length by Dan Kaminsky ) are quite horrible - email can be redirected, people logging in to online banking often start with a http rather than https link, etc. Basically it allows a sophisticated attacker to gain complete control over all the users of the compromised DNS cache at a single stroke.

Commentators are all saying that people have to wait for DNSSEC - but that's unacceptable in my view, given that it's possible (albeit quite a low of work!) to write a secure resolver today.

Thanks very much for asking though - and please ask away for more details.

Hi George,

Congrats on picking this up - it's an interesting topic.

My first thought were also towards OpenDNS, which I've used and advocated for some time. I was pretty sure they were unaffected and this quote re-affirms those thoughts:
"Lots of good came out of Dan Kaminsky’s discovery of a major vulnerability in most of the Internet’s recursive DNS servers.
...
Since OpenDNS’s servers are not vulnerable - never were vulnerable, actually - lots of you switched to OpenDNS."
[ Source: http://blog.opendns.com/2008/07/31/welcome-new-opendns-users... and repeated in essence here: http://blog.opendns.com/2008/07/08/opendns-keeping-you-safe/... ]

My take on this is that as OpenDNS' infrastructure never needed patching, the shortfall from just patching isn't applicable in their case. Obviously you may wish to take this up with OpenDNS themselves.

It's also worth noting that, according to the second link, the open source PowerDNS software is also not vulnerable to the cache poisoning threat. This ties in with the 'Not Vulnerable' status assigned to it (and OpenDNS) in the http://www.kb.cert.org/vuls/id/800113 document. PowerDNS is co-authored by Bert Hubert - an authority I believe you are familiar with - so if his solution is correctly regarded as 'not vulnerable', it stands to reason that OpenDNS is similarly correctly labeled.

That said, I'm happy for my thinking to be proven wrong if it means improved security. So, if you do contact OpenDNS about this, please keep us informed as to the outcome. (I might drop them a line myself, by my knowledge only goes so far....)


ATB,
Ian..

Hi Ian,

I can assure you that both PowerDns and OpenDNS are vulnerable. They both use port randomization, which is much, much better than nothing, but it can still be broken in very roughly 5 hours as Mockapetris states, so really cannot be considered fully secure.

This is not a criticism of either, since as I said, every recursor in the world ( except the one I have written! ) is vulnerable. Well, it's possible that someone, somewhere has implemented duplication/repetition without my knowledge, but if so they have kept very quiet about it. It's a small community.

I will give a quick technical outline of the situation:

(1) DNS operates (by-and-large) using UDP connections ( rather than TCP ). A DNS client sends a single UDP packet to a DNS server to obtain data. The packet header has a random 16-bit ID, that is used to validate the response.

(2) An attacker can send "spoof" forged responses, with malicious data. The attacker will need to guess the 16-bit ID value. So after about 2^16 = 65536 attempts he is likely to succeed.

(3) The DNS client can also select a random source port ( generally chosen from the range 1024 - 65535 to avoid clashes ), which means an attacker then needs roughly 2^32 attempts to succeed.

(4) It turns out that an attacker can attack recursive resolvers (my resolver excepted) at a rate limited only by network bandwidth. Even if the resolver is not fully public, attacks are still possible if the attacker can force queries for particular domains at a high rate. This is the Kaminsky attack.

(5) NAT firewalls, by nature of how they work, usually undo any source port randomization. So recursive resolvers relying on port randomization operating behind NAT firewalls are very vulnerable.

(6) Other resolvers are only "somewhat" vulnerable ( they last for about 5 hours, or probably somewhat longer under more realistic network bandwidth constraints ).

(7) Stub clients ( that forward requests to a shared server ) are also somewhat vulnerable, in that stub resolvers don't use port randomisation, so a well timed blind attack has a 1 in 2^16 chance of succeeding. Attacks on stub resolvers are not so well studied, but are still a source of concern.

[ Pretty much everything up to here is in the CERT advisory note, http://www.kb.cert.org/vuls/id/800113 , although it doesn't dwell on the continuing vulnerability of patched servers, for obvious reasons! ]

(8) The (main) way to solve all this is to send 2 or 3 queries, and check that the responses agree. Unfortunately this is more complicated that it seems, because some authoritative servers send non-deterministic responses, which need to be carefully processed to obtain a secure result.

The depressing thing is that all this is quite well known, but no-one can be bothered to do anything about it. Commercially, it's hard to justify the cost of writing some relatively complex software. The "official" view is to wait for DNSSEC to be deployed, but that will take at least 5 to 10 years, and it could be much longer (it may never happen), nobody has any real idea - progress is snail-like.

So the whole world is insecure, and until some really big fraud occurs, we will probably muddle along, with ordinary people being defrauded, their email being intercepted, etc. I'm just trying to do something about it, but on my own (well, some within the DNS community have been helpful, especially Nicholas Weaver of ICSI Berkeley), it's a pretty uphill battle.

Seriously, it would be of great assistance if a few TMFers could try it. There is normally no performance penalty ( the queries are sent in parallel ), and if I can report some successful, independent users, it adds greatly to the credibility of the project. Some kind of testimonial, whatever, would be really great.

It's especially useful with laptops, where when travelling you may be using untrusted, possibly unpatched, caches that are particularly vulnerable ( although OpenDNS is a valid solution to this problem, but then OpenDNS is a very obvious target for attackers, and you have to trust OpenDNS - not that I'm saying they are untrustworthy ).

The other route I'm thinking about is approaching Microsoft directly. I do have a possible contact who implemented https for Internet explorer, and I gave him some (free!) consultancy many years ago on this ( I used to be quite interested in cryptography, in particular ellliptic curves - google for George Barwood and you will see what I mean - well, err, maybe not - it says too much about me really! ).

Many thanks for you interest, it is very much appreciated.
George

Hi George,

"I can assure you that both PowerDns and OpenDNS are vulnerable. They both use port randomization, which is much, much better than nothing, but it can still be broken in very roughly 5 hours as Mockapetris states, so really cannot be considered fully secure.

This is not a criticism of either, since as I said, every recursor in the world ( except the one I have written! ) is vulnerable. Well, it's possible that someone, somewhere has implemented duplication/repetition without my knowledge, but if so they have kept very quiet about it. It's a small community.


I'd be really surprised if PowerDNS (and equally OpenDNS) were only utilising port randomisation. As you know (or maybe you don't, but Bert - to whom you link to on your web site - knows what it will take to help resolve the issue: see http://blog.netherlabs.nl/articles/2008/8 for example) , Bert Hubert is the co-author of PowerDNS and he has taken every opportunity to advise the DNS community what is required when it comes to securing the 'system'.

On that basis, I strongly urge you to contact Bert and/or David Ulevitch (co-founder of OpenDNS) to see just how your solution relates to their implementation of name resolution.

I'm not saying you are wrong. What I'm suggesting is that others have (to all intents and purposes) taken the same stance as yourself, but rather than take it at the client level, they have taken it at the DNS infrastructure level.

I'm not meaning to belittle your efforts. I'm just hoping to ensure that your efforts aren't being wasted. You are clearly more clued up about the whole issue than myself, but there are those rare persons out there that can - and will - liaise with you on this matter on a equal standing. You need to be contacting them - Bert, David and maybe even Dan - to get any progress, IMHO.


ATB,
Ian..

Ian

I may contact Bert directly (I'm always somewhat reluctant to contact people out of the blue). He will however be aware of my position via the IETF namedropper mailing list and my IETF internet draft. The article you linked is dated August 2008, and (after the calculations, which look correct) really consists of musings on what might be done. The trouble is that since that date nothing actually has been done, excluding my efforts.

I'm not entirely sure why - but my guess is that implementing query repetition really is quite a big job, and people often do not have the time/energy. I'm not the only one proposing it, Paul Vixie (who heads ISC which maintains BIND) also referred to it briefly in his (now expired) IETF draft ( http://tools.ietf.org/id/draft-vixie-dnsext-dns0x20-00.txt ), although there is no detail there on coping with non-deterministic authorities.

The IETF generally seem reluctant to push forward with this though. I think it's because of the huge emotional commitment to DNSSEC, and general exhaustion. There is also the issue that DNSSEC is being promoted as the way to solve the problem, so if simpler to deploy methods solve the spoofing problem, it slightly undermines the commercial case for DNSSEC - and much has been invested in that.

Hence I'm looking at other ways forward...

It's not quite accurate that I'm looking only at the client level. The server I have written can be deployed either on the client or as a local cache ( this is how it is deployed at my workplace ).

It cannot be deployed on Unix though, which does limit it's usefulness for ISPs etc.

My intention is partly to show the way, but also to provide a proper secure solution at least for windows users, and not least for myself and the company for which I work. It gives me a good night's sleep!

Best regards,
George

I have made FAQ which discusses possible security issues with OpenDNS

http://www.george-barwood.pwp.blueyonder.co.uk/DnsServer/FAQ...

"A few other things to consider with OpenDNS:
1. You have to trust them. While I have no reason whatsoever to think OpenDNS are not trustworthy, a good principle in computer security is to minimise the number of people you trust. GbDns is open source software, subject to validation by yourself and third parties, OpenDNS is not.
2. It's a potential centralised point of failure ( albeit the multicast system may be resilient to failure ).
3. OpenDNS is by it's nature an attractive target for an attacker.
4. Communications from your stub resolver to the OpenDNS server are potentially susceptible to spoofing attack."

I think OpenDNS is quite nice, but not ideal from a security perspective.

OK, so now just a question from a non-techie who just wants to secure his PC as much as possible, and at the same time to ensure that his children are safe online, and also my banking details. Obviously I was attracted to this thread because of my initial question a few day's ago re Open DNS and K9.

Geebee2 seems to be saying that Open DNS is not a good choice to achieve what I say that I want to achieve in the paragraph above. 1an seems to be saying that the concerns raised by geebee2 are not as worrying as gb seems to think.

So what do us non-techies do? Is Open DNS vulnerable? Is K9 vulnerable to any of this stuff? Presumably not, as it filters access to sites in a different way (told you I was non-techie!), a way that it not vulnerable in the same way as OpenDNS is vulnerable. So, does that make K9 safer to use for us non-techies (or anyone else for that matter)?

Hope I'm not confusing things . . .

CW

Hi CW,

Geebee2 seems to be saying that Open DNS is not a good choice to achieve what I say that I want to achieve in the paragraph above. 1an seems to be saying that the concerns raised by geebee2 are not as worrying as gb seems to think.

Well, technically speaking we are both right. (Has anyone got a cushion? This fence is chaffing a bit ;-)

We've contacted OpenDNS - via a thread on their forum - and they have confirmed that they are not vulnerable to either the short nor the long form of the particular vulnerability that George mentions in his OP. (The Kaminisky vulnerability)

On the other hand, George is doing some very clever things with his offering which OpenDNS are not specifically implementing, but they infer that they have the situation covered with other techniques they are not prepared to discuss. (Fair enough I guess, but it does leave room for doubt.)

On the other, other hand. OpenDNS will almost certainly be doing things that George's offering doesn't, the net result of which is that OpenDNS may well be at least as secure. Or even more so. It's almost impossible to tell if OpenDNS are unwilling to discuss the technicalities of their implementation.

That said, there are, AFAIAA, no reports of 'mass exploits' affecting the thousands of people using OpenDNS - I'm still using it and remain happy about recommending it.

None of that detracts from what George has done. There is a lot of potential with what he has done, I'm looking at it and have been in contact with George 'off-board' about some aspects. (Sadly, my progress has been lacking this week. My mother is in hospital, my partner celebrated her birthday yesterday - despite her best efforts to ignore it ;-) - and it's my birthday today: beer o'clock beckons!! :-)

George may disagree with some (or all :-) of the above - which is fine. If people didn't disagree there wouldn't be nearly as much progress made. :-)

That's not a definitive answer - mostly because there isn't one, IMHO.

Yet...


ATB,
Ian..

Crosswires

First of all, thanks for taking an interest. It's hard to get people interested!

Where I started was by reading the Cert Advisory

http://www.kb.cert.org/vuls/id/800113

I quickly realised that it wasn't easy to follow their recommendations. They suggest

"Run a local DNS cache" but then point out that

"routers, firewalls, and other gateway devices that perform NAT/PAT may modify source ports in ways that reduce the effectiveness of source port randomization"

So I decided to make a local DNS cache that didn't rely on port randomization for security. It wasn't easy!

Note they also say:

"Stub resolvers are also vulnerable to these attack"

This is true. It's hard to say quite how high the risk is, but I wanted a proper solution, and that's what I have made.

I believe GbDns is the most, and indeed only, secure solution for Windows users.

It then comes down really to who you believe, if the technical issues are beyond your comprehension. But do try to understand what the Cert note is saying.

I should perhaps say that, a bit like with swine flu, you don't need to panic. OpenDNS is much better than using an unpatched ISP cache, and stub resolvers are (probably, no one really knows for sure) not very easy to attack in practice. An attacker would probably need to lure you on to a rigged web page, or something similar. But even so, the risk is there, IMO.

Finally, do continue to ask away!

George

I am following this thread with great interest. Like CrossWires, I am a non-technical bod who needs to have my pc as secure as possible. That is limited to the degree my trust permits in the experts and the systems they advocate.

I have twice before drafted a post, but felt my comments may be considered offensive to you George. I really have no wish to do that, as you have obviously made considerable efforts, but see here:

every recursor in the world ( except the one I have written! ) is vulnerable.

It’s just that the tone of your posts comes across as bordering on arrogant… see what I mean? Consequently, that impression makes me cautious about your claims.

Nonetheless, it is great that things appear to be progressing with other knowledgeable Fools to query the technical aspects.

At this stage, I have these, probably dumb questions:

1. My software firewall is password protected. Does GbDns have or need one?
2. Surely, there are Open Source forums where GbDns would be gladly received and strenuously tested? This board may be less brutal, but a security utility needs widespread exposure to be considered effective.
3. How can OpenDNS claim to be Open when they are unwilling to discuss the technicalities of their implementation.?

That reminds me of a ditty:

Fussy Wussy wus a bear,
But, Fussy Wussy had no hair,
So Fussy Wussy wusny Fussy,
Wus he?

Keep up the good work chaps.
oldbaker

Blast it!

Seems my spelling ability is just fuzzy.

oldbaker

I have twice before drafted a post, but felt my comments may be considered offensive to you George

Don't worry, I really will not be offended at all. Promise.

It’s just that the tone of your posts comes across as bordering on arrogant… see what I mean?

I think you have a good point there, it does sound arrogant. I should have put it in a different way, you have to remember I'm basically a techy type, I'm no great diplomat!

Your questions

1. My software firewall is password protected. Does GbDns have or need one?

Unless you want to share the GbDns cache with other computers, inbound connections only come from the computer on which it is installed ( loopback using 127.0.0.1 ), so there is no need to adjust the firewall.

If the cache is to be shared, port 53 (UDP) needs to be opened in the firewall, to allow inbound connections from other computers.

2. Surely, there are Open Source forums where GbDns would be gladly received and strenuously tested? This board may be less brutal, but a security utility needs widespread exposure to be considered effective

That's an interesting idea, thanks. I haven't any experience with that, I will do some searching over the week-end.

3. How can OpenDNS claim to be Open when they are unwilling to discuss the technicalities of their implementation.?

Good point, not for me to answer that one!

Best regards,
George

1. My software firewall is password protected. Does GbDns have or need one?

I may have mis-interpreted the question, I assumed initially you were asking whether the firewall needed adjusting. Taken more literally, the answer is no, GbDns does not have a password. There are not settings to be configured ( this was a design goal, to keep things simple ), so no need for any kind of password.

Installing the software needs administrative rights, the same as for any program.

GbDns does not have a password. There are not settings to be configured ( this was a design goal, to keep things simple ), so no need for any kind of password.

Installing the software needs administrative rights, the same as for any program.

Understood, but as it is client(?) based, then in the likely event that the computer is not switched to a limited access account, can GBDns be interfered with to route the user through a criminal's servers?

Understood, but as it is client(?) based, then in the likely event that the computer is not switched to a limited access account, can GBDns be interfered with to route the user through a criminal's servers?

Well, someone with Administrative rights to a computer can do just about anything.

You cannot easily "interfere" with GbDns, other than say replacing the executable with a different one with the same name, or changing the TCP/IP settings.

That's always going to be the case regardless of what you are using.

This is a bit of a statement of the obvious, so apologies if I have failed to understand you properly.

This is a bit of a statement of the obvious...

Alas, it is, but if GbDns is for all types of user, as opposed to competent system administrators and vaguely able muppets like me, then there remains a problem for the unwary.

There is clearly little point in loading the software in Windows, then running with administrator rights. Most people I have asked who run a single pc do not work in a limited user account. There is a need to address this common failing.


In the FAQs, a minor edit to fix:
You can also uninstall using Control Papel / Add or Remove programs.

oldbaker > In the FAQs, a minor edit to fix

Many thanks, I have fixed that.

Further to

Surely, there are Open Source forums where GbDns would be gladly received and strenuously tested?

This morning I did a bit of searching for Open Source forums, but didn't find any thing that seemed suitable. That may be due to my own incompetence with Google, so if anyone knows of a community where this project might be welcome, please let me know.

George

if anyone knows of a community where this project might be welcome, please let me know.

How about knocking on a few virtual doors? Contact some sites from the Google results. They can only answer, “Get lost” or worse, ignore you.

Microsoft offer free Windows software here:

http://bhandler.spaces.live.com/blog/cns!70F64BC910C9F7F3!12...

I’ve no idea where the products originate from, but I’d bet MS doesn’t develop them all in house. As GbDns is primarily a Windows utility at this stage of development, it should be of interest to them.

It would be best not to get locked into one source early on. Try the Mozilla organization, some helpful soul may well point you in a rewarding direction.

http://en-us.www.mozilla.com/en-US/manyfaces/

Also..... Well you get the idea.

oldbaker

oldbaker

Thanks, but where you say "Microsoft offer free Windows software here", I think it's more accurate to say "Somebody offers a list of free Microsoft downloads here".

Mozilla seems focussed on Firefox/Thunderbird.

Still, this morning I found this http://www.opensource.org/links
which lists sourceforge.net as the "market leader". So I'm considering putting my project on that. Has anyone here had any experience of sourceforge?

I have also updated my FAQ, in particular this :

"Why should I use GbDns?

For security. The CERT vulnerability note, VU#800113 explains that you should "Run a local DNS cache". Also, it notes that NAT devices "can reduce source port randomness", which means that source port randomization cannot be relied on for security.

Instead of relying on source port randomization, GbDns defeats spoofing by sending the query two (or more) times, and checks the responses agree ( this is an over-simplification, but sufficient to understand the principle ). To the best of my knowledge, GbDns is the only DNS resolver that does this, and therefore appears to be the only secure solution to DNS resolution."

http://www.george-barwood.pwp.blueyonder.co.uk/DnsServer/FAQ...

Could anyone comment on whether this is easy to understand?

Best regards,
George

Hi George,

I use sourceforge to host a small Frogger clone I wrote. They are probably the largest host for open source software and provide many services, in addition to hosting, such as project mailing lists and forums. If you want your project hosted there you will need to licence it with an open source licence though.

HTH

Paul

Thanks Paul, I have just submitted a project to sourceforge, it's now waiting to be approved.

Since I have put GbDns in the public domain in any case, the open source licence is fine ( well I hope so - I assume there is no kind of subtle conflict here! )

George

Further to the above, the sourceforge project is

https://sourceforge.net/projects/gbdns/

You can now download / post forum questions there, etc.

George