FYI. There was some question here about whether PowerDNS was vulnerable or not and what it was doing, so I asked Bert Hubert about it. Here is his answer: -------- Original Message -------- Subject: Re: [Fwd: Re: DNS attacks evolve] Date: Wed, 13 Aug 2008 21:29:50 +0200 From: bert hubert <bert.hubert@netherlabs.nl> To: Mike Leber <mleber@he.net> References: <48A08113.6010801@he.net> On Mon, Aug 11, 2008 at 11:12:35AM -0700, Mike Leber wrote:
Is there any post anywhere that provides more technical detail about how the PowerDNS cache is not vulnerable?
Mike, very briefly, PowerDNS implements two things: source port randomization + near miss detection. Near miss detection is documented here: http://doc.powerdns.com/built-in-recursor.html spoof-nearmiss-max If set to non-zero, PowerDNS will assume it is being spoofed after seeing this many answers with the wrong id. Defaults to 20. Some more is in: http://doc.powerdns.com/recursor-details.html
I'll post a link to it and provide other operators a better answer than the equivalent of "because I say so". The answer could be anything such as "we reject updates to glue when", or "it takes 10 years based on these calculations...".
Calculations on how long it will take are on http://blog.netherlabs.nl/articles/2008/08/05/calculating-the-chance-of-spoo... These calculations go beyond what powerdns 3.1.7 does however.
If your vendor told you that you are not at risk they are wrong, and need to go re-read the Kaminski paper. EVERYONE is vunerable, the only question is if the attack takes 1 second, 1 minute, 1 hour or 1 day. While possibly interesting for short term problem
Or 1 year, or 2 years or a century. Bert -- http://www.PowerDNS.com Open source, database driven DNS Software http://netherlabs.nl Open and Closed source services -- +---------------- H U R R I C A N E - E L E C T R I C ----------------+ | Mike Leber Wholesale IPv4 and IPv6 Transit 510 580 4100 | | Hurricane Electric AS6939 | | mleber@he.net Internet Backbone & Colocation http://he.net | +---------------------------------------------------------------------+
On Thu, Aug 14, 2008 at 10:07:30AM -0700, Mike Leber wrote:
FYI. There was some question here about whether PowerDNS was vulnerable or not and what it was doing, so I asked Bert Hubert about it. Here is his answer:
And my additional nuance: By the way - just to nuance things, I'm sure PowerDNS can be spoofed too if enough effort is thrown into it. I'm working hard to implement the features that will allow me to state PowerDNS won't be spoofed "in a million years of trying". But I'm not there yet :-) Cheers, Bert -- http://www.PowerDNS.com Open source, database driven DNS Software http://netherlabs.nl Open and Closed source services
participants (2)
-
bert hubert
-
Mike Leber