General Discussion

[iframe]

FYI...

- http://securitylabs.websense.com/content/Alerts/3163.aspx
08.19.2008 - "Websense... has detected that the DNS cache on the default DNS server used by the customers of China Netcom (CNC) has been poisoned. When China Netcom customers mistype and enter an invalid domain name, the poisoned DNS server directs the visitor's browser to a page that contains malicious code. China Netcom is among the top ISPs in that country.
When users mistype a domain name, they are sometimes directed by their ISPs to a placeholder Web site with generic advertisements. This is typically an additional revenue source for the ISP. In the case of CNC, customers of this prominent ISP are directed to a Web site under the control of an attacker. These malicious sites contain an iframe with malicious code that attempts to exploit, among other applications and plug-ins, the Microsoft Snapshot Viewer vulnerability... The malicious iframe points to a server in China hosting exploits for RealPlayer, MS06-014, MS Snapshot Viewer and Adobe Flash player..."

(Screenshots available at the URL above.)

 

[DNS cache poisoning]

FYI...

DNS cache poisoning...
- http://isc.sans.edu/diary.html?storyid=11107
Last Updated: 2011-06-27 19:19:08 UTC - "... teaching this week at (a) University... we were victims of a DNS cache poisoning attack. Since the network admin was not at his office because class was in the night, there was nothing I could do but wait for the DNS cache to expire.
How this attack works and How we can protect ourselves
The DNS process works as follows to resolve ip address from a fully qualified domain name (FQDN):
• Client sends a query to the internal DNS looking for an ip address for a machine name.
• Internal DNS server performs recursion and if it's not present in the cache looks for the IP address on the internet from the authoritative nameserver of the domain.
• The authoritative nameserver answers the IP address requested.
• The Internal DNS server answers the IP address to the client.
The attack works as follows:
• Attacker queries the target DNS server for a FQDN not present in the cache.
• Target DNS server performs recursion and looks for the IP address on the internet from the authoritative nameserver of the domain.
• Attacker floods the target DNS server with fake responses for the query.
• Target DNS server updates the cache and begins serving the fake ip address every time the FQDN is requested.
How do we protect ourselves from the attack?
• Use the last version of your DNS server (I really like BIND*) as it randomizes the source port of your queries.
• Do not allow recursion from outside of your network. Allow it only from your corporate network computers.
• Use DNSSEC. The root servers support it since July 15 2010 and the protocol allows to authenticate valid records from domains zones.
...For those of you using a Windows DNS server, the source port randomization is built-in to Windows 2008 R2's DNS server and other versions that have 'Security Update MS08-037' applied."
- http://www.microsoft.com/technet/security/Bulletin/ms08-037.mspx

* http://www.isc.org/software/bind

Test My DNS
> https://www.dns-oarc.net/oarc/services/dnsentropy