JPCERT-AT-2014-0016
JPCERT/CC
2014-04-15
<<< JPCERT/CC Alert 2014-04-15 >>>
Alert regarding DNS cache poisoning attack
Source link: https://www.jpcert.or.jp/english/at/2014/at140016.html
I. Overview
Cache DNS servers that do not randomize the UDP source port
(hereinafter "source port randomization") contain known vulnerability
which may allow attackers to perform cache poisoning attack. A remote
attacker may leverage this vulnerability and poison a cache DNS
server with forged DNS information.
According to the information provided by Japan Registry Services
Co., Ltd. (hereinafter "JPRS"), they have been observing DNS queries
from DNS servers that do not implement source port randomization to
DNS servers operated by JPRS. Additionally, they are informed by some
Internet Service Providers that the access targeting this
vulnerability has been increasingly observed.
It is estimated that such attacks may keep increasing henceforth,
and therefore administrators are recommended to take measures such as
applying a patch addressing this vulnerability and modifying the
configuration.
II. Products Affected
This vulnerability may affect multiple DNS server software. For more
information, please refer to the advisory issued by the vendors on the
following websites:
JVNVU#800113
Multiple DNS implementations vulnerable to cache poisoning (Japanese)
https://jvn.jp/cert/JVNVU800113/index.html
Vulnerability Note VU#800113
Multiple DNS implementations vulnerable to cache poisoning
https://www.kb.cert.org/vuls/id/800113
Note that the software products which are not mentioned in the
websites above may also be affected. For other software products used
in your system, please contact the vendors.
III. Solution
For administrators operating DNS server software affected by this
vulnerability, it is recommended to take measures such as applying
a patch which addresses this vulnerability and modifying the
configuration.
Please be aware of the following 3 notes upon applying the
solutions:
Note 1: 'named.conf' configuration
When BIND is used, named.conf may have been configured to specify a
static DNS query source port as follows:
query-source port 53;
query-source-v6 port 53;
In this case, even after updating the version, the source port
randomization will not take effect as long as you do not modify the
configuration.
Note 2: Port translation on network devices
Due to the function of Network Address Translation (NAT) of network
devices such as firewalls and routers, the source port randomization
implemented by DNS server may not work properly. For more details on
how to modify the configuration and update the firmware, please
refer to the information provided by the vendors.
Note 3: Firewall configuration
Once the solution is applied, source ports for queries from a DNS
server become randomized. This may cause a firewall to restrict
communication from the DNS server. Administrators are recommended to
check the firewall settings before modifying the configuration of the
DNS server.
IV. References
(Critical) Reconfirmation of DNS server configuration regarding
the increasing risk of cache poisoning attack (Japanese)
(Released on April 15, 2014)
-- Strongly recommending to quickly confirm and respond to the
randomization of UDP port request --
http://jprs.jp/tech/security/2014-04-15-portrandomization.html
JVNVU#800113
Multiple DNS implementations vulnerable to cache poisoning (Japanese)
https://jvn.jp/cert/JVNVU800113/index.html
Vulnerability Note VU#800113
Multiple DNS implementations vulnerable to cache poisoning
https://www.kb.cert.org/vuls/id/800113
If you have any information regarding this alert, please contact
JPCERT/CC.
======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/
↧
Alert regarding DNS cache poisoning attack
↧