DNS cache poisoning, the Internet attack from 2008, is back from the dead:
In 2008, researcher Dan Kaminsky revealed one of the more severe Internet security threats ever: a weakness in the domain name system that made it possible for attackers to send users en masse to imposter sites instead of the real ones belonging to Google, Bank of America, or anyone else. With industrywide coordination, thousands of DNS providers around the world installed a fix that averted this doomsday scenario.
Now, Kaminsky's DNS cache poisoning attack is back. Researchers on Wednesday presented a new technique that can once again cause DNS resolvers to return maliciously spoofed IP addresses instead of the site that rightfully corresponds to a domain name.
"This is a pretty big advancement that is similar to Kaminsky's attack for some resolvers, depending on how [they're] actually run," said Nick Sullivan, head of research at Cloudflare, a content-delivery network that operates the 1.1.1.1 DNS service. "This is amongst the most effective DNS cache poisoning attacks we've seen since Kaminsky's attack. It's something that, if you do run a DNS resolver, you should take seriously."
[...] On Wednesday, researchers from Tsinghua University and the University of California, Riverside presented a technique that, once again, makes cache poisoning feasible. Their method exploits a side channel that identifies the port number used in a lookup request. Once the attackers know the number, they once again stand a high chance of successfully guessing the transaction ID.
The side channel in this case is the rate limit for ICMP, the abbreviation for the Internet Control Message Protocol. To conserve bandwidth and computing resources, servers will respond to only a set number of requests from other servers. After that, servers will provide no response at all. Until recently, Linux always set this limit to 1,000 per second.
(Score: 0) by Anonymous Coward on Tuesday November 17 2020, @02:30PM
This problem has been fixed forever now.
(Score: 2) by pkrasimirov on Tuesday November 17 2020, @02:56PM (14 children)
There was no Let's Encrypt back in 2008, now it is much better.
(Score: 3, Informative) by The Mighty Buzzard on Tuesday November 17 2020, @03:01PM (13 children)
Complete non-sequitur there. We're talking DNS.
My rights don't end where your fear begins.
(Score: 2) by rigrig on Tuesday November 17 2020, @03:57PM (12 children)
Well, at least HTTPS and HSTS can prevent attackers from redirecting people to spoofed websites.
No such luck for email though :-(
No one remembers the singer.
(Score: 3, Insightful) by The Mighty Buzzard on Tuesday November 17 2020, @04:06PM (6 children)
For browsers that support it, sure. If you're willing to hand your entire connection history over to $bigadvertisingcorp.
My rights don't end where your fear begins.
(Score: 2) by ledow on Tuesday November 17 2020, @04:08PM (3 children)
Talking of non-sequiturs... what the hell does TLS, HTTPS and HSTS have to do with advertising companies?
(Score: 4, Insightful) by The Mighty Buzzard on Tuesday November 17 2020, @05:29PM (2 children)
Quite a lot if you're using google's nameservers for DNS over HTTPS. Frankly, I don't trust any of the current providers of such to not at least sell my query history if they're not using it themselves.
My rights don't end where your fear begins.
(Score: 2, Interesting) by Anonymous Coward on Tuesday November 17 2020, @07:25PM (1 child)
And don't forget that DoH will give you back all those ads you weren't seeing when all your DNS went through pihole [pi-hole.net].
That's the *real* reason the big tech companies love DoH.
(Score: 1, Interesting) by Anonymous Coward on Tuesday November 17 2020, @09:24PM
Paul Vixie, one of the fathers of DNS, basically agrees. He has a great comparison of DNS and its privacy options here: https://www.youtube.com/watch?v=ZxTdEEuyxHU [youtube.com] It is very informative as to the situational background and he is quite blunt as to why DoH is a political and tracking project. He also reveals what the long term game is based on other proposed standards and why it isn't to help users.
(Score: 2) by rigrig on Wednesday November 18 2020, @12:17AM (1 child)
I think you might be confusing HTTP Strict Transport Security [ietf.org] with DNS over HTTPS?
What I meant was that attackers might be able to hijack your DNS, but they don't have a valid certificate. With HSTS the browser will refuse to downgrade to plain HTTP, so they can't show you a spoofed version of the site you intended to visit.
But there is no equivalent for email, so attackers can just run a plain unencrypted SMTP server and other servers will happily deliver messages to it.
No one remembers the singer.
(Score: 2) by The Mighty Buzzard on Wednesday November 18 2020, @03:55PM
Both are relevant but neither are enough. TLS and HSTS will stop script kiddies and other impersonal, low-hanging fruit. If someone with non-trivial skills is targeting you or the site in question specifically, you're screwed if you rely only on HTTPS.
My rights don't end where your fear begins.
(Score: 2) by pkrasimirov on Tuesday November 17 2020, @04:18PM (4 children)
I am not aware of a mail server which is still running plain-text SMTP today.
TMB, SSL/TLS protects against MITM. What potential impact does a spoofed DNS has if my browser or mail client refuses to connect to the bogus server?
(Score: 2) by The Mighty Buzzard on Tuesday November 17 2020, @05:25PM (2 children)
Pretty much all of them will if you either tell them to or don't tell them not to.
Problem with that reasoning. You're assuming they don't have a valid cert for whatever domain they're spoofing the DNS entry for. Or rather one that your box thinks is valid. That can't be taken as a given if they're targeting you specifically enough to want to MITM you. How often do you check your system's list of trusted CAs?
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Tuesday November 17 2020, @05:52PM (1 child)
not sure what the difference is between writing a email in a text editor then using some command-line tool (or gui) to turn that plain-text into private.public-key gobbeldigok and then plain-and-simple "plain-text" emailing that gobbeldigok to someone -vs- well ..hmmm.... "encrypting the pipe"(?) and then sending the plain-text (real-plain-text) thru it?
i suppose in case one, two people could meet in realworld and decide on a "new encryption thingy" like both have a copy of the 1979 phonebook from, say, baltimore ... whilst the second case would mean that if "somebody" breaks a industry standard (like TLS) then ALL tunnels are broken?
hmmm ... also there's a "root.hint" file but there's no "root.hints.public-key" file?
(Score: 2) by The Mighty Buzzard on Tuesday November 17 2020, @11:06PM
Utility. PKE is a pain in the ass to keep up with manually or PGP would have been standard for all emails a long time ago.
My rights don't end where your fear begins.
(Score: 2) by rigrig on Tuesday November 17 2020, @11:56PM
It's not about your end: attackers can spoof email providers, make a whole bunch of password reset requests and intercept all the incoming mail.
No one remembers the singer.
(Score: 5, Interesting) by The Mighty Buzzard on Tuesday November 17 2020, @02:58PM (19 children)
Feeling pretty good about running my own recursive resolver for my LAN now. All external requests are blocked by the config file, the router forwarding port 53 (TCP+UDP) and all ICMP to an entirely different machine, and iptables on the resolver. Ain't perfect security but it'll stops anyone who isn't specifically targeting me.
My rights don't end where your fear begins.
(Score: 4, Interesting) by Booga1 on Tuesday November 17 2020, @04:05PM (15 children)
I'm not super familiar with it, but I wonder if a Pi Hole [pi-hole.net] would help in this situation. I know it's meant to handle ad killing, but it's basically handling all DNS isn't it? Or would you also have to do something special to set it up to avoid allowing external requests?
(Score: 3, Touché) by The Mighty Buzzard on Tuesday November 17 2020, @04:27PM (9 children)
We'll never know because it's not worth learning to use a toy when you already know how to use bind, which I do. It could be the best thing since sliced bread and a proper recursive resolver but I expect it's just handing off non-blocked queries to your ISP or one of the global alternatives like 8.8.8.8 or 1.1.1.1, at least by default.
My rights don't end where your fear begins.
(Score: 1, Informative) by Anonymous Coward on Tuesday November 17 2020, @07:41PM (8 children)
The nice part about pihole is that it provides blocklists for (as of 17 November 2020, 1430 US/Eastern) > 95,000 known tracking/ad distribution domains.
I run BIND internally (as well as separately externally, for the domains I'm authoritative for) and make the pihole the single forwarder for all my internal DNS servers. Further, I block all outgoing DNS requests (via IPTables on the router/firewall) from *any* host other than the pihole.
Pihole allows you to configure several external DNS servers (I use ones from both my ISPs, but you can use your own caching/recursive BIND instance if you like instead), but blocks any requests that match the blocklists and manual blacklists. I can also whitelist any domains I like.
All in all, pihole is definitely good thing. As it blocks ads/tracking for *all* the devices on my internal network, not just in browsers with ad/tracking blocker extensions (e.g. UBlockOrigin).
And I can review (both in aggregate and individually) blocked and allowed DNS queries and make any changes to the black/white lists arbitrarily.
As such, I wouldn't classify PiHole as a 'toy'. Rather, it's a useful tool if you want to limit ads/tracking on your network.
(Score: 2) by Fnord666 on Tuesday November 17 2020, @09:17PM (1 child)
So how do you handle laptops that leave your premises and connect to a different access point such as a public wifi? Do they always VPN back "home"?
(Score: 1, Interesting) by Anonymous Coward on Wednesday November 18 2020, @12:56AM
I don't. That's not my use case.
I suppose you *could* VPN back home, but why not just run Pihole+recursive nameserver locally instead?
Of course, that doesn't help with your phone unless you have a Linux phone [itsfoss.com], but again that's not my use case.
(Score: 2) by The Mighty Buzzard on Tuesday November 17 2020, @11:16PM (5 children)
Ahh, see now that's interesting. Now I wonder what kind of a pain it would be to yoink out just the list-building code.
Don't take it personal. It uses dnsmasq which I also consider a toy. I'm just not interested in running a daemon of that variety. You know, the kind Apple users would ask for; fewer options and less functionality but easy to use.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Wednesday November 18 2020, @01:49AM (2 children)
The real value, as you correctly point out, is the blocklist management.
I guess it would be a bunch of work, but the code [github.com] is pretty straightforward. So it shouldn't be too difficult.
Why would I do that? I have no relationship with dnsmasq (or pihole for that matter) other than as a user in conjunction with pihole.
So what's your gripe with dnsmasq? Granted, I'd use a different DNS server if I was rolling my own, but it's really just acting as a caching server for pihole. I'm not really sure what value other name servers would/could add in that role.
I suppose it might be nice to integrate the blocking with a recursive BIND instance and avoid the extra caching server.
If you decide to integrate with BIND, I'd love to check it out. That could be quite interesting.
(Score: 2) by The Mighty Buzzard on Wednesday November 18 2020, @03:59PM
Remind me of it after Christmas and I should have some time to at least look at it. We're hopefully and quite likely going to be moved in to the church by then and I'll have some significant chair time again.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Thursday November 19 2020, @09:51AM
He is probably better off using his own script over gravity.sh. BIND can consume many of the lists directly using RPZ and hosts format used on many of the rest isn't that complicated. The real key is to dedupe properly and consider more advanced list formats for consumption, like dnsmasq, unbound, uBO/ABP, etc., to reduce the overhead per name.
(Score: 1, Interesting) by Anonymous Coward on Wednesday November 18 2020, @07:52PM (1 child)
You'd probably be better off using a dedicated local caching resolver like unbound.
(Score: 2) by The Mighty Buzzard on Friday November 20 2020, @02:42AM
You're saying it would save me... what? Certainly not time. I haven't put half an hour into my bind setup in five and a half years. I wouldn't have put five minutes into it but I occasionally find a domain that really annoys me and blackhole DNS requests for its ass.
My rights don't end where your fear begins.
(Score: 2) by epitaxial on Tuesday November 17 2020, @05:01PM (4 children)
I hate that damn thing it might as well be a closed source black box. They could at least make the scripts available to use on your own machine instead of a pi.
(Score: 0) by Anonymous Coward on Tuesday November 17 2020, @09:44PM
They do and you can.
(Score: 0) by Anonymous Coward on Wednesday November 18 2020, @01:56AM (2 children)
As was already pointed out, they do. Well, not just the scripts but all the source code [github.com]. It's really lightweight too, so you can run it pretty much anywhere you run linux [pi-hole.net].
installation info [pi-hole.net].
(Score: 2) by epitaxial on Wednesday November 18 2020, @07:30PM (1 child)
Will it run on your average x64 box?
(Score: 0) by Anonymous Coward on Wednesday November 18 2020, @07:58PM
You can run it on anything that will run Linux.
You can even run it locally and generally without you even noticing -- well except for the lack of ads/tracking.
The links I posted detail the minimum requirements.
On my pihole "box" (an x64 VM with 2GB RAM and a single virtual processor running Fedora 32), the blocking/management process uses ~10MB RAM and unnoticeable CPU).
The UI (Lighttpd, php-cgi) uses ~100MB RAM total and minimal CPU. Although you don't need to run/use the UI at all and can just use the provided CLI.
But why do you even care? Since they're worse than a black box? I mean it's not like they make the scripts [github.com] available or anything. Hoarders. That's what they are. Hoarders!
(Score: 5, Interesting) by ledow on Tuesday November 17 2020, @04:11PM (2 children)
If you're going to run your own, just run a DNSCrypt server (SimpleDNSCrypt on Windows, equivalent tools on Linux) and make sure it only communicates with those servers that fully-encrypt the entire process.
I use a particular local network machine, and an outside dedicated server that I own (which only I can talk to).
(Score: 4, Interesting) by The Mighty Buzzard on Tuesday November 17 2020, @04:51PM
Setting up a full-on bind server isn't the chore for me that learning a less powerful tool would be. I do have DNSCrypt enabled (Because why not? It's like two or three lines of config file to do so.) but I'm not going to require DNSCrypt responses from other people's nameservers. That's still not viable yet.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Tuesday November 17 2020, @05:53PM
Why not just restrict communications to servers in your hosts file while you're at it? ;)
(Score: 0) by Anonymous Coward on Wednesday November 18 2020, @07:30AM (5 children)
APK's hosts file software could help with this. Hardcoded DNS isn't vulnerable. Why have you censored him?
(Score: 2) by The Mighty Buzzard on Wednesday November 18 2020, @04:01PM
He got spammy.
My rights don't end where your fear begins.
(Score: 4, Funny) by tangomargarine on Wednesday November 18 2020, @05:08PM (3 children)
Why do people keep calling downvoting censorship? The comment is still there and you can still read it.
Oh my god, I might have to *click to expand it*. The horror!
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Thursday November 19 2020, @09:54AM (2 children)
You literally can't post messages like he left due to unspecified filtering.
(Score: 2) by The Mighty Buzzard on Friday November 20 2020, @02:44AM (1 child)
Are you actually complaining that there's not enough spam on the site? I don't think you're going to find much support for that position.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Monday November 30 2020, @01:41AM
If I wanted crap like that on a news site I would go back to the Green Place.
That said, forcing users to register to post doesn't seem to have solved the spam troll problems