DNSstuff Freeware Detects Vulnerable DNS Servers

DNSstuff has released a new tool to help organizations detect if their DNS servers are vulnerable to the DNS protocol flaw revealed last week.

DNSstuff.com is offering a free tool for organizations looking to test the susceptibility of their domain name servers to a fundamental flaw in the Domain Name System protocol revealed publicly last week.

A provider of on-demand DNS and network analysis tools, DNSstuff made the freeware, which company officials have dubbed DNS Vulnerability Check, available on its site Wednesday. The tool is meant to test for the vulnerability reported by Dan Kaminsky, director of penetration testing for IOActive.

The researcher reportedly uncovered a flaw in the DNS protocol that can be exploited to poison DNS server caches and re-direct Internet traffic. While he has publicly kept details of the vulnerability close to his vest, several vendors coordinated the release of a patch in response. In the case of DNSstuff, company officials decided to offer a free tool that checks to see if DNS queries from a user's server are coming from the same source port.

"When you click the test button on the Web site, you are redirected to a specially crafted URL that has encoded your Web client's IP address, which causes a DNS query to resolve this name to an IP address," said Paul Parisi, CTO of DNSstuff. "This query is handled by whatever DNS server you have your system configured to use-typically provided by your ISP-and set up to perform recursion for you and other customers."

"The URL itself resolves to a specially crafted CNAME, which itself resolves to yet another specially crafted CNAME," he explained. "The end result of this is that the resolver operating on your behalf must make several DNS lookups in series to our tool, during which time we record the IP address of the DNS server making the query, the source port the query came from and the query ID in the DNS packet header."

Ultimately, the name will resolve to an IP address of the DNSstuff site. At this point its Web server decodes the information and compares the lookups to one another, Parisi added.

"If you are vulnerable, the data we recorded will show that all the DNS queries made by your resolver originated from the same source IP address," he said.

The tool also checks for reused query IDs.

"There are far too many attacks against DNS to list; it is the most insecure part of the infrastructure as it relies on easily forged data from a third party you must implicitly trust and cannot verify," Parisi said. "DNSSEC addresses most of these issues, leaving only run-of-the-mill vulnerabilities such as buffer overflows to contend with."