6

This morning I found out that our domain and subdomains have been poisoned on the 4.2.2 and 4.2.2.1 DNS servers along with others I think, though I have not confirmed others yet. Using OpenDNS resolution works correctly. I have updated our local DNS servers and cleared their cache which has fixed things internally.

The issue is that the domain is public facing and customers are having problems. We are the authoritative DNS server for the domain and all that is under our control. What I don't know how to do is fix the name servers out of our control.

Is there something we can do on our end? At the moment the only workaround I can think of is to ask customers to change their DNS to OpenDNS which is not very practical. The other workaround would be to change our TLD, which is less practical.

brandon
  • 61
  • 2
  • You haven't exactly described the problem in your question. What problem are you experiencing that has led you to this conclusion? How did you come to this determination? – joeqwerty Jun 24 '12 at 20:21
  • 1
    Maybe post your domain here so that we can see ? – Sandman4 Jun 25 '12 at 07:23
  • What exactly poisoned? A records ? Do you use CNAMEs ? – Sandman4 Jun 25 '12 at 07:30
  • 2
    Btw, if it's more than one group of servers poisoned, it's sorta unlikely that source is anything but __your__ own compromised servers – Sandman4 Jun 25 '12 at 07:39

5 Answers5

7

Sounds like you need to implement DNSSEC.

Since you haven't given many details about your setup, it's difficult to recommend a software solution, but googling DNSSEC with your current setup should yield you some good tutorials on how to do it.

Jay
  • 6,439
  • 24
  • 34
  • We are not using DNSSEC however the issue at the moment I believe and correct me if I am wrong is with the DNS servers outside of our control. – brandon Jun 24 '12 at 19:25
  • The problem you have described exists because there currently is no 'authentication' behind DNS zones. DNSSEC adds that layer of authentication, so that the `4.2.2.*` (and other DNSSEC supporting DNS resolvers) will only pull back authorized records (i.e., they can't be poisoned maliciously). Read more here: http://en.wikipedia.org/wiki/DNS_spoofing#Prevention_and_mitigation – Jay Jun 24 '12 at 19:45
  • Is there a reason why DNSSEC isn't enabled as default by registrars? – PHP CEO Aug 17 '16 at 16:31
5

Are you absolutely certain that this is a cache poisoning attack?

Every widely used recursive DNS server on the internet has long since implemented a fix to CVE-2008-1447, making the kind of wide-scale poisoning you're describing nearly impossible.

Not completely impossible, since the source port randomization just makes the attack take 2^16 times more attempts to successfully poison. Landing an attack on multiple authoritative name servers with high transaction volumes, all at the same time? That's quite the feat. Correct me if I'm wrong, but your domain probably isn't significant enough on the internet to be the best target for that attack; attackers with that capability would just hit google.com instead.

The far more reasonable or likely explanation is a change to the delegation for the domain, which the OpenDNS servers haven't picked up on yet due to caching. Has the domain expired, or has someone with access to the registrar made an ill-advised change to the name server delegation settings?

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • There have been many attacks on DNS [search CVE for DNS](http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=dns). So there will be some "zero days" around, as well. – Nils Jun 24 '12 at 20:53
  • @Nils Sure, and the newest one of those that relates to cache poisoning is from 2010. Anyway, I think my assertion is still valid: if an attacker had means to poison a large number of widely used public resolvers, they'd take over some much more interesting DNS names. – Shane Madden Jun 24 '12 at 21:02
1

Change your TLD? That's extreme. What's your TTL? Your kind of at the mercy of other DNS servers expiring your records before any of them bother looking up the new, non-cached, entries. If you set your A records to a week, no one will see the changes for a week if they are cached. I always set my A records to the lowest setting for situations like this, or use CloudFlare which lets me change them on the fly.

4.2.2.2 and 4.2.2.1 are Level 3's DNS servers for their network, they are not really supposed to be used by the internet at large. Thus they are not representative of the Internet DNS infrastructure as a whole. I use DNSStuff.com to do all of my testing/lookups as they are non-cached results.

Also, instead of OpenDNS, it's easier to type Google's (8.8.8.8, 8.8.4.4), irregardless of your personal beliefs between the two.

Sieb
  • 11
  • 1
1

The DNSSEC recommendation is hasty. You risk to solve the wrong problem and hook yourself with quite a maintenance burden.

Check through these questions first:

  • What evidence do you have that poisoning is your problem?
  • At which DNS resolvers do you see mangled resolution?
    • multiple resolvers?
    • from different ISPs? -> unlikely to be poisoning
    • to which bogus IPs do they map? All the same? -> probable problem on your authority
  • What SOA information for your "poisoned" zones do you receive at the poisoned resolvers?

DNS cache poisoning is less common nowadays. If the negligible chances to incur it bother you, you are better off implementing DNSCurve. Here's how it compares with DNSSEC:

  • the CurveDNS proxy takes 10 minutes to install
  • once installed, maintenance at your authoritative DNS is unchanged
  • you are not affected by amplification attacks
  • it is actually deployed in the large by DNS users (OpenDNS)
michele
  • 575
  • 3
  • 7
0

You can't do much to the servers not under your control.

Try to understand how it happened - poisoning is not easy nowadays, there should be some hole. Check parent NS delegations. Check all your auth. servers. Contact Level3, tell them their servers poisoned - ask them to flush the cache for your domain, but they hopefully will investigate the cause. Maybe their servers compromised and it's not just your domain.

also, see the TTL. If it's intentional poisoning, TTL supposed to be very large (unless Level3 set some max TTL). You will see when it will expire, and then check if it doesn't happen again.

And put it on the street so that people start finally implement DNSSEC.

Sandman4
  • 4,045
  • 2
  • 20
  • 27