Firewall vendors?
Were many firewall vendors involved in this? I ask because ZoneAlarm was broken by the update, and their forums are now filled with people reporting that they can't connect.
An alliance of software makers and network-hardware vendors announced on Tuesday that they had banded together to fix a fundamental flaw in the design of the internet's address system. The vulnerability in the domain name system (DNS) - the distributed database that matches a host and domain name with the numerical address of …
How can the post to the forum if they can't connect? *grin*
The firewall issue was a secondary problem - changing the behaviour of the DNS "application" means that certain tuned firewall rules will break.
There's no reason why they should necessarily have had pre-warning - although it would probably make sense for them to get onto a beta for patches from Microsoft or something so that they can find the problem before their users...
There has been at least one well-respected DNS implementation available since 2001 that addresses these issues, specifically djbdns.
From its blurb (http://cr.yp.to/djbdns/blurb/security.html):
- dnscache uses a cryptographic generator to select unpredictable port numbers and IDs.
- dnscache is immune to cache poisoning.
It seems that the major DNS implementations have been aware of these issues since around that time, but haven't bothered to address them until now.
I like BIND, I really do. It's functional, multipurpose, adaptable and well-documented. A bit buggy, it's true, but it does what I want in the way I want in the way that no other nameserver I've tried (djbdns, MaraDNS) does. It's like Sendmail - not ellegant, but lovely for its functionality and close to administrators' hearts. But to find that after all these years they still haven't figured out a way to generate different queries with unique IDs and source ports using a genuine cryptographically-secured RNG is just bloody ridiculous. Of course, it won't stop me from using BIND. Or Sendmail. Or thttpd (which has had a couple of low-profile flaws). I guess functionality and ease of administration *do* matter, however much you care about security - and I do care, certainly enough to keep it simple whenever I can (vsftpd, Dovecot, Dillon's Cron, OpenNTPD, etc).
Cheers,
Sabahattin
Add /Remove programs option in XP Pro. I do not now have the option to remove any programs via control panel. Anyone else have this ????. It also did effect
my ability to access net because it had changed a setting on ZoneAlarm version
zlsSetup_70_470_000_en Way I fixed it was simply change the "Internet Zone Security" to "Medium" as it was on "high" (whether updated changed it dont know).
Anyone know anymore as to why the Add/remove programs would be effected ,as it definately has been ??
I am utterly astonished that you actually prefer BIND over DJBDNS. The latter is far simpler to configure than the former, and never misses a beat regardless of load.
Apart from that, BIND has deliberately not conformed to certain RFCs - a practice which hardly makes it 'close to administrators hearts'.
The update has already been widely reported in tech forums to screw up Zonealarm. I use this on my home PC, and spent some time trying to figure out how to get back on - including talking with my ISP tech support. Worryingly, even after an msconfig to do a clean start-up, I couldn't even browse with Windows Firewall on until I started and then shut down Zonealarm.
And even more worringly seemingly turning off Windows Firewall first for a moment made no difference.
Watch this space, I fear.
So every one agrees that there is a problem with DNS, MS update breaks a crappy product and you say MS didnt do enough testing ?? Um so your saying its not the fact that a group a vendors got to gather and changed how DNS works that broke ZA, but MS crappy programing. Did you ever take into account that it was what they changed in DNS that broke ZA.
I'm no fan of MS, but please place the blame were it belongs. I mean a change in a standards can break any thing that relied on the old standard.
So I have a theory on what it is that Dan Kaminsky may have discovered that is broken with DNS.
Basically it has to do with ICMP packets (spoofed ICMP unreachable response packets sent to the recursor in order to prevent it communicating with the real nameserver - or similarly sent to the real authorative nameservers to prevent them talking to the recursor).
The biggest difficulty with spoofing DNS at the moment is that you need to silence the real nameservers in order to get your fake replies in.
ICMP packets are sent in response to other IP packets. For an ICMP response to be valid, it must contain the IP header of the packet it is a reponse too, but it also must contain 64bits of the data payload. The reason for requiring 64bits of the payload is to prevent people from spoofing ICMP replies to packets they have not received. In the case of a DNS packet, that payload is the first 64 bits of the UDP header.
What is in the first 64bits of the UDP header? The source and destination ports of the DNS servers. If these are easily predictable then you can spoof ICMP.
If you can spoof ICMP; You can prevent the recursor from communicating with the real nameserver by sending an ICMP unreachable. This will make it very very easy to spoof DNS as it removes the biggest hurdle; that of silencing the real nameservers. It only takes about 2min on a 10mbit/s connection to run through all 65536 possible sequence numbers so if you can prevent the recursor from talking to the real nameservers it really is easy as pie.