DNSstuff has released a new tool to help organizations detect if their DNS servers are vulnerable to the DNS protocol flaw revealed last week.
DNSstuff.com is offering a free tool for organizations looking
to test the susceptibility of their domain name servers to a
fundamental flaw in the Domain Name System protocol revealed publicly
A provider of on-demand DNS and network analysis tools,
DNSstuff made the freeware, which company officials
have dubbed DNS Vulnerability Check
, available on its site Wednesday. The tool is meant to test for the vulnerability reported
by Dan Kaminsky, director of penetration testing for IOActive.
The researcher reportedly uncovered a flaw in the DNS
can be exploited to poison DNS server caches and re-direct
Internet traffic. While he has publicly kept details of the
vulnerability close to his vest, several vendors coordinated the release of a patch
response. In the case of DNSstuff, company officials decided to
offer a free tool that checks to see if DNS queries from a user's
server are coming from the same source port.
"When you click the test button on the Web site, you are redirected
to a specially crafted URL that has encoded your Web client's IP
address, which causes a DNS query to resolve this name to an IP
address," said Paul Parisi, CTO of DNSstuff. "This query is handled by
whatever DNS server you have your system configured to use-
typically provided by your ISP-
and set up to perform recursion for you and other customers."
"The URL itself resolves to a specially crafted CNAME, which itself
resolves to yet another specially crafted CNAME," he explained. "The
end result of this is that the resolver operating on your behalf must
make several DNS lookups in series to our tool, during which time we
record the IP address of the DNS server making the query, the source
port the query came from and the query ID in the DNS packet
Ultimately, the name will resolve to an IP address of the DNSstuff
site. At this point its Web server decodes
the information and compares the lookups to one another, Parisi
"If you are vulnerable, the data we recorded will show that all the
DNS queries made by your resolver originated from the same source IP
address," he said.
The tool also checks for reused query IDs.
"There are far too many attacks against DNS to list; it is the most
insecure part of the infrastructure as it relies on easily forged data
from a third party you must implicitly trust and cannot verify," Parisi
addresses most of these issues, leaving only run-of-the-mill vulnerabilities such as buffer overflows to contend with."