Scanning for DNS Servers Vulnerable to Cache Poisoning

Recently, CERT issued vulnerability note VU#800113 which describes a variety of issues with multiple DNS commercial and open source tools.

The vulnerability pertains to an attacker being able to perform a cache poisoning attack. This could result in an attacker being able to re-direct email, web and other types of traffic to hosts under their control. This has many implications for identity theft, malware propagation, credit card theft and denial of service.

Tenable's research group has produced several Nessus plugins which test for this vulnerability.

• The "Remote DNS Resolver Uses Non-Random Ports" plugin, ID #33447 and currently available to Direct Feed users, performs a variety of queries to a DNS server to determine if the source ports used in these transactions is sufficiently randomized. You do not need credentials to perform this test. It is purely based on DNS queries sent to the DNS server.
• Plugin #33441 is a credentialed check for Microsoft servers that tests for the presence of the MS08-037 patch which fixes this issue.
• Plugin #33451 and #33450 is a credentialed check for Debian DNS servers.
• Plugin #33462 is a credentialed check for Red Hat DNS servers.
• Plugin #33464 is a credentialed check for Ubuntu DNS servers.
• Plugin #33448 is a credentialed check for CentOS DNS servers. 

As more patches for this advisory become available in other operating systems, Tenable will add checks for those systems as well.

Dan Kaminsky of IOActive, Paul Vixie of the Internet Systems Consortium (ISC) and Danial J. Bernstein have all been credited with finding this security issues and raising awareness to ISPs, vendors and network administrators.

If your organization is modifying their DNS servers because of this vulnerability, we also suggest that you test to see if DNS recursion is enabled and if it is not needed, disable it as well.