SAD DNS - temporary script workaround.



  • In recent days the existence of another DNS cache poisoning exploit was revealed, apparently wittily named as SAD DNS. This morning i read this article on an apparent workaround applicable to Linux users, until such time as the fix is incorporated into the kernels.

    https://www.techrepublic.com/article/how-to-temporarily-mitigate-sad-dns-for-linux-servers-and-desktops/

    Fwiw, here's the suggested script:

    #!/usr/bin/env bash
    #
    # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
    # OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
    # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
    # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
    # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
    # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
    # THE SOFTWARE.
    ###########################################################################  
    #
    # Three options for installation. Choose one of the following:
    #
    # 1. Copy to /etc/cron.minutely
    #
    # 2. Copy the script to the DNS server. Create a file in /etc/cron.d with
    #    the following syntax:
    #
    #    * * * * *root    /path/to/icmp_ratelimit.sh >/dev/null 2>&1
    #
    # 3. Create a user cron entry while using `crontab -e`
    #
    #    * * * * * /path/to/icmp_ratelimit.sh >/dev/null 2>&1
    #
    # - Change "/path/to" to match the exact location of the script.
    # - Finally, make sure it is executable: chmod +x /path/to/icmp_ratelimit.sh
    #
    seconds="60"
    while [[ ${seconds} -gt 0 ]]
    do
        echo $((500 + $RANDOM % 1500)) > /proc/sys/net/ipv4/icmp_ratelimit
        sleep .95
        let seconds=seconds-1
    done
    

    It also needs a cron job created:

    * * * * * root    /path/to/icmp_ratelimit.sh >/dev/null 2>&1
    

    I haven't decided yet if i'll bother, or just await the inevitable kernel patch. What do you others think about this issue?

    More background fyi:

    https://www.zdnet.com/article/dns-cache-poisoning-poised-for-a-comeback-sad-dns/


  • - Ambassador -


  • Vivaldi Translator

    I think this is only an issue for people hosting their own DNS.
    General users can simply change to a different DNS if the one they use is exploitable.



  • @Dr-Flay said in SAD DNS - temporary script workaround.:

    only an issue for people hosting their own DNS

    Initially that was also my assumption. However, if so, how to explain:

    Jack Wallen walks you through the process of putting in place a temporary fix against SAD DNS for your Linux servers and desktops

    serious security implications for both users and businesses

    BlueCat also informed me of a temporary fix for Linux servers and desktops

    Your Linux servers and desktops

    🤷🏼♀

    @Dr-Flay said in SAD DNS - temporary script workaround.:

    if the one they use is exploitable

    How would they know?



  • @Steffie Oh silly me. Wrt my last question... i forgot about my old bookmark:

    https://www.grc.com/dns/dns.htm



  • @Steffie ...aaaaaaand so now having just run that test, for my Cloudflare & Quad9 DNS' extant since my 19/5/20 deployment of Dnscrypt-proxy for DoH, & seeing my results =

    Anti-Spoofing Safety: Excellent
    External Query: ignored (This means the nameserver is more spoof resistant.)
    DNSSEC Security: supported (This server supports improved security standards.)

    ... i have now officially decided to ignore this whole issue [including eschewing this workaround i posted].

    Sorry for the thread, everyone.


  • - Ambassador -

    @Steffie . same, using 9.9.9.9 and 1.1.1.1 with DNScrypt



  • Hmm, interesting link nonetheless. Does it apply to DoT and DoH?



  • @npro I might be misunderstanding your question, but fwiw [hoping this is what you mean]: though as we know Nix chromium still has no native DoH nor DoT, but via my deployment of Dnscrypt-proxy i effectively do have DoH... & it was in that mode i ran the dns spoof tests above.



  • @Steffie I meant does it affect users (as he spoke of desktop) using DoH and DoT as well, or it is indifferent to that? (also both can be enabled system-wide, dnscrypt is extra)



  • @npro This post is not sarcastic, it's genuine. Also, i have had my first coffee for the day, so i can't now blame that. My only excuse therefore is this:
    https://www.youtube.com/watch?v=E-La91wr8xw

    ...i am sorry, but genuinely i still do not understand what you're asking me, given that my best-guess previously seems to be wrong.

    I saw your earlier post arrive last night, & couldn't understand it then [other than my attempted reply]. I'd hoped that after sleep i would get it, but unfortunately still i don't... including your new follow-up question. Maybe someone else can better advise you here than i? 🤞



  • @Steffie Yeah just don't bother 🙂 . It's an "average Joe" question from me, meaning I have no clue what this is about, nor have I heard about that poisoning drama before plus I didn't ever bother diving into more advanced "DNS matters" as well, my knowledge stops at trivial stuff of what it is+DoT+DoH. These days there are so many things that need to be studied thoroughly by someone in order to understand and be protected from whatever threat, script, configuration, etc, for which I don't have the time (and more importantly the mental "capacity" 😁 ) to do so, so for selected ones I have to rely on more advanced users' approval sigil of "am I safe as I am now?" 🙂


  • Vivaldi Translator

    I asked the author of DNSCrypt if this is a possible issue because the SAD DNS test on the project site failed each of the resolvers I tested.
    Due to the way it works it has always been protected against this type of attack.
    https://github.com/DNSCrypt/dnscrypt-proxy/issues/1508

    So one more reason you should all swap to a better DNS dervice in your computers.
    Also a loud and clear signal that we need DANE validation in our browsers, and every day we need it more.
    I am sick of hearing people say "oh but it is only used for email servers and nobody uses it anyway"
    That is not a reason to not implement robust authentication and validation.



  • Fyi.
    https://blog.cloudflare.com/sad-dns-explained/

    As part of a coordinated disclosure effort earlier this year, the researchers contacted Cloudflare and other major DNS providers and we are happy to announce that 1.1.1.1 Public Resolver is no longer vulnerable to this attack.



  • @Steffie I was reading yesterday lots of poisonous pages at that place, but I've missed that. Exactly what I needed, thanks 🙂 👍


  • - Ambassador -

    Certain pages are more dangerous to mental health than to the PC


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.