BIND 9 exploit is out. please check your DNS

This exploit targets a flaw in DNS implementations which allows the insertion of malicious DNS records into the cache of the target DNS server. Without wasting time....i had to Dig deep and find quickest solution possible to fix my own name servers.

Even though ISC and most of the security experts advised that administrators should patch their name servers with the current patches and softwares, it was not easy to take the normal path especially for those who are used to yum...ing and apt-get..ing.

Below are some few steps for those running Bind on Centos or Fedora systems.

Now....i could not wait until Dan Kaminsky come August 6th at 11:15AM Pacific time goes public again to talk at the Black Hat Briefings regarding this vulnerability in BIND.And give the fact that some folks have already leaked the ways-hows of utilizing the flaw to exploit those vulnerable systems, i had to start thinking earlier on how to fix my own name servers. Believe me they were also vulnerable as i was running the old version of BIND 9.

Now my finding as simple as it may look, only applies to those folks running BIND 9 on Centos 4 or 5 and Fedora core systems ... I tested on all this boxes in my office.

Lets start..

Prerequisites
===========
- Your firewall (iptables NAT/PAT or PIX) must have port 53 open.
- You most be running BIND 9 on Centos 4 or 5 or any Fedora core systems.
- Bind must be running in chrooted mode though not a prerequisite but a best practice.
- In your /etc/named/named.conf OR /etc/named.conf files....you must disable recursion and add an acl to only allow your networks to do recursive requests.

i.e.. acl "mynetworks" {
127/8; 172.16.0.0/12; 10.0.0.0/8; 192.168.0.0/16

i.e..view "internal" {
match-clients { mynetwork; };
allow-query { mynetwork; };
allow-recursion { mynetwork; };
match-recursive-only yes;

i.e ..view "external" {
match-clients { any; };
allow-query { any; };
allow-recursion { none; };
match-recursive-only no;

AND TO FIX the BIND VULNERABILITY
-----------------------------------------------------------------------------------

Checking if your system is vulnerable...run the command below replacing youdomain.co.tz with your organizations tld or cctl.

So do the following

[superuser@ns1 ~]# dig +short @ns1.youdomain.co.tz porttest.dns-oarc.net TXT
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"192.168.1.3 is POOR: 26 queries in 20.0 seconds from 1 ports with std dev 0.00"

Poor indicates your name server or system is vulnarable...

Solution
-----------

[superuser@ns1 /]# yum update bind bind-chroot -y


[superuser@ns1 /]#vi /etc/named.conf ## Vi into your named.conf file and do the following. After save and reload BIND

options {
directory "/var/named";
allow-transfer { 192.168.1.4; };
query-source address * port 53; ## REMOVE OR COMMENT this line so as to allow randow port selection. Do this by appending a # this line
dnssec-enable yes; ## Add this line to your named to conf to enable DNS-SEC and go a head and setup DNS-sec. Remember it is not an ultimate solution


[superuser@ns1 /]#/etc/init.d/named reload

Then Check again to test
----------------------------

[superuser@ns1 /]# dig +short @ns1.youdomain.co.tz porttest.dns-oarc.net TXT Just to confirm...:-)

z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"192.168.1.3 is GOOD: 26 queries in 19.6 seconds from 26 ports with std dev 16515.27"
===========================================================================================================================================================

Good indicates that Your name server, at x.x.x.x, appears to be safe, but make sure the ports listed aren't following an obvious pattern. i.e the ports with standard deviation..16515.27..if your test clocks 10000.00 the your DNS server is more safer and your clients or users should not worry.

Do the same on all your DNS server in your organization. Suggestions and comments are welcome.

Good Luck.

./noah

This Squirrel Mail thing......!!!!!

While Exploring Round cube and Horde which are also open source based web-mail clients....i had forgotten of the fact that their existed another web-mail client for nuts. The Old Mighty Squirrel mail. Squirrel impressed me with its multiple features which included some sort of Spam filtering, user administration, fonts and colors, and most importantly the fact that a user has an option of changing their passwords. The change password plug in kills it all. Round cube lacks that. So i am working on customizing Squirrel Mail so i can see how it goes.

Big ups to the Squirrel Mail Team.