djbdns has two weaknesses that allow an attacker to poison its cache in very short amounts of time.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2008-4392 to this issue. This is a candidate for inclusion in the CVE
list (http://cve.mitre.org), which standardizes
names for security problems.
What you need to know
- This only affects dnscache, the caching/resolver server. If you do not use dnscache, you do not need to patch anything.
- The attack these patches correct allows an attacker to "poison" dnscache's internal cache, causing it to give out incorrect information to its clients.
- This allows an attacker to redirect users of your dnscache server to IP addresses they control. For example, they could redirect all users of an ISP to a fake version of a bank's site, while the address bar in the browser still looked correct.
- DNS is not a "secure" protocol. Poisoning attacks like this are unavoidable until new technologies are developed and deployed.
- The current state-of-the-art in protecting DNS as it exists now, would require an attacker to continually flood a DNS server for days at a high rate to succeed at tricking it once.
- The recently discovered weaknesses in dnscache allow this type of attack to succeed in minutes, making detection and prevention difficult if not impossible.
- The patches below restore dnscache's protection to the best known methods, requiring a noticeably large flood for several days to have any likely chance of success.
For more details about how this attack works, see this PDF.
Merge identical outgoing requests
prevents a class of poisoning attack by combining identical requests from
clients into one outgoing query. Without this patch, an attacker can coerce dnscache into launching hundreds of identical queries at once, making a specific type of attack several orders of magnitude easier.
Make SOA responses cacheable
This patch allows dnscache to store the responses of "SOA" type queries in its cache. SOA responses are the only type of response unconditionally uncached. dnscache uses its internal cache to prevent certain classes of poisoning attack. Attackers may choose to send floods of SOA requests to bypass these protections.
A pre-patched version of djbdns-1.05 is available here if you do not wish to manually patch.
Prior to release, these patches have been tested by several large djbdns users with no reported complaints.
Please note that the "merge similar queries" patch slightly modifies the log file format, due to behaviors unable to be expressed using the current logging system. Very few applications attempt to parse dnscache's log format, and it is believed that most should skip lines they do not understand.
These patches were developed by Jeff King, and are released into the public domain. Validation, testing and help came from David Dagon, Adam Getchell, Dan Kaminsky and David Ulevitch.
No warranty or support is provided for these patches. Feedback, incompatiblities or improvements are welcome. Email is appreciated.
Copyright © 2009 Kevin Day. Patches and documentation may be freely distributed.