DNS Tester - leaktest

[djg05]

This is one test that fails under Kerio 2.1.5. If you disable the DNS rule then it fails so it should be possible to tighten it up. The only way I can see is to set a DNS rule for each program that is allowed access, but this seems over the top and there should be a simpler way to do it. Any suggestions please.

Another thing is how relevant is this test to being a real threat?

[Rmus]

Quote:

Originally Posted by djg05

The only way I can see is to set a DNS rule for each program that is allowed access,

I did that a year or so ago, just to try it. It doesn't take much time to configure the rules.

Quote:

but this seems over the top and there should be a simpler way to do it. Any suggestions please.

At the time, I was not aware of any other way, and haven't searched around other forums recently.

Quote:

Another thing is how relevant is this test to being a real threat?

I was not convinced it was a real threat, and when I cleaned house earlier this year, I went back to my original DNS rules.

These leak tests simulate what would happen if such malware somehow got installed and was permitted to run. I'm confident that won't happen, so I don't worry about them.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier

[djg05]

Quote:

Originally Posted by Rmus

I did that a year or so ago, just to try it. It doesn't take much time to configure the rules.

At the time, I was not aware of any other way, and haven't searched around other forums recently.

I was not convinced it was a real threat, and when I cleaned house earlier this year, I went back to my original DNS rules.

These leak tests simulate what would happen if such malware somehow got installed and was permitted to run. I'm confident that won't happen, so I don't worry about them.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier

Thanks

It might not be a real threat but am interested if it could be made to resist this test. It seems that in Win 2k, Services.exe is the point of failure. Cannot find any way of restricting it to prevent the escape. I have set the outgoing address range to my DNS address, local ports are 1400 to 1600 and remote point 53.

This is the first allowed rule and I put a block in underneath to stop anything else being allowed.

[djg05]

Think I might have found the answer.

Saw here that disabling the DNS service in Windows and then setting the rules for each application will defeat it - but I could be wrong.

[gkweb]

Hello,

Disabling the DNS service will prevent the leaktest from working, that's true, but keep in mind that a real trojan exploiting this weakness will start the service back, before using it.

The best if you are worried by this issue, is to install a firewall handling the DNS call and prompting for it, even when the DNS service is enabled.
Lastly I've tried Outpost V4.0 RC4 (still not final) and it handles it well, for instance.
You could also monitor the service starts with an HIPS, and block it when it's the DNS client.

Regards,
gkweb.

[Tommy]

Link for this test please. I want to check Jetico v2 against it.

[gkweb]

Here you go :
http://www.firewallleaktester.com/leaktest14.htm

[Stem]

Quote:

Originally Posted by gkweb

Lastly I've tried Outpost V4.0 RC4 (still not final) and it handles it well,

Yes, good interception on OP part.(and clear/understandable warning)

[cprtech]

Quote:

Originally Posted by gkweb

The best if you are worried by this issue, is to install a firewall handling the DNS call and prompting for it, even when the DNS service is enabled.

For additional restrictiveness, It must also make sense to ensure the dns ip(s) are correct as well, which could be the router's LAN ip or the isp's dns ip's?

[djg05]

Quote:

Originally Posted by gkweb

Hello,

Disabling the DNS service will prevent the leaktest from working, that's true, but keep in mind that a real trojan exploiting this weakness will start the service back, before using it.

Regards,
gkweb.

Yes, but I use a layered approach and hopefully either PG or BOClean will stop it.

[Stem]

Quote:

Originally Posted by djg05

Yes, but I use a layered approach and hopefully either PG or BOClean will stop it.

I have always disabled the DNS client, and have the services monitored,.. but,.. I always place a rules (with alert) to block services(W2K) / svchost(XP) from making DNS lookups.

[gkweb]

@cprtech
It's indeed a good pratice to restrict DNS communications to your ISP DNS servers IP. Unfortunately, crafted DNS requests can be made to send information to the attacker's DNS server. The way DNS works, the packet will be sent first to your ISP DNS server, which then will forward it to the attacker's server. IP restriction in this case doesn't help, but it is anyway a general good practice to follow.

@djg05
That's what I suggest when I said :

Quote:

You could also monitor the service starts with an HIPS, and block it when it's the DNS client.

When using a layered approach, you can prevent such DNS exploit by preventing the service to start, provided your HIPS can do this.

Regards,
gkweb.

[Climenole]

Hi

Just one remark.

The DNS requests are done by the applications not svchost.

[And, talking about this, the DNS client service in W xp is totally useless ...]

An example of DNS req. by an application is the DNS leaks with Tor (The onion router) and Firefox. Even with a rule allowing only Tor to access DNS in UDP on remote port 53, the application makes it's own DNS requests. I Found no parameters in the application to stop this. (Some early version of Firefox have an option in about:config to avoid this but now the parameter have no effect ...)

The only way I found to stop DNS leaks was to block the UDP port 53 for each application I'm using with Tor (Firefox, Thunderbird, Chatzilla+Xulrunner, 40tude Dialog and so on).

Hope this help.

[gkweb]

When the Windows "DNS Client" service is enabled, all the DNS requests are made by svchost.exe (WinXP). When it is disabled, every apps do it by itself indeed.

Even when the DNS service is enabled, it may be possible for an app to bypass it and to do the DNS request itself (I don't know), but then lucky for you, any firewall will prompt you for this, it's not the issue.
The issue is when an application with no network access at all can send data without being seen from your firewall, which only notices svchost.

FireFox is not a leaktest nor a trojan fortunately

Regards,
gkweb.

[djg05]

Quote:

Originally Posted by Stem

,.. but,.. I always place a rules (with alert) to block services(W2K) / svchost(XP) from making DNS lookups.

Thanks for that Stem - I did not know about that so is now done.

Is there any chance of setting up a sticky for suggested blocking rules or services stopped from a security point of view? I am sure there are many I and others are unaware of.

[Stem]

Quote:

Originally Posted by djg05

Is there any chance of setting up a sticky for suggested blocking rules or services stopped from a security point of view? I am sure there are many I and others are unaware of.

There are sites that give this info, but I could make a post to show you the services I disable /blocking rules I put in place in my own setup, if you think this would help you. (you would want W2K setup, yes?)

[cprtech]

Quote:

Originally Posted by gkweb

@cprtech
It's indeed a good pratice to restrict DNS communications to your ISP DNS servers IP. Unfortunately, crafted DNS requests can be made to send information to the attacker's DNS server. The way DNS works, the packet will be sent first to your ISP DNS server, which then will forward it to the attacker's server. IP restriction in this case doesn't help, but it is anyway a general good practice to follow.

Thank you gkweb. Geez, that malware is sneaky

[djg05]

Quote:

Originally Posted by Stem

There are sites that give this info, but I could make a post to show you the services I disable /blocking rules I put in place in my own setup, if you think this would help you. (you would want W2K setup, yes?)

That would be handy Stem, and yes for 2k, but I assume others would like to see some for XP as well.

[gkweb]

An example of Stem's advice with Outpost v4.
Select SVCHOST (for WinXP, services.exe for Win2K) and add this rule :

http://perso.orange.fr/jugesoftware/forum/op2.gif


With the DNS service disabled, the rule is never triggered (each application individually is making the DNS request).
As soon as I enable it, if I run Firefox, the following popup appears :

http://perso.orange.fr/jugesoftware/forum/op1.gif

A good way of being alerted if the service get activated in your back.

@djg05
It's not exactly what you are looking for, but you may find this link usefull :
http://www.firewallleaktester.com/advices.htm

Regards,
gkweb.

[cprtech]

Quote:

Originally Posted by gkweb

An example of Stem's advice with Outpost v4.
Select SVCHOST (for WinXP, services.exe for Win2K) and add this rule :

http://perso.orange.fr/jugesoftware/forum/op2.gif


With the DNS service disabled, the rule is never triggered (each application individually is making the DNS request).
As soon as I enable it, if I run Firefox, the following popup appears :


A good way of being alerted if the service get activated in your back.

Hi gkweb,

isn't it better to set the action to "Ask", since blocking svchost prevents access to MS Updates site? This is at least in my case, unless there is a way around eliminating the requirement for svchost connecting to port 53 using MS Updates.

[djg05]

Quote:

Originally Posted by gkweb

An example of Stem's advice with Outpost v4.
Select SVCHOST (for WinXP, services.exe for Win2K) and add this rule :

With the DNS service disabled, the rule is never triggered (each application individually is making the DNS request).
As soon as I enable it, if I run Firefox, the following popup appears :

A good way of being alerted if the service get activated in your back.

@djg05
It's not exactly what you are looking for, but you may find this link usefull :
http://www.firewallleaktester.com/advices.htm

Regards,
gkweb.

Thanks for the link

Re the rule. Perhaps you should also check it is near the top or there is nothing above it can slip out through assuming it is a top down f/w.

[gkweb]

About the Outpost rule example for svchost, indeed blocking it will block also MS updates. A tradeoff between security and usablity would be to uncheck the rule only when enabling automatic update for 1mn (time to check if there is available updates).

The other possibility, is to uncheck the system global rules allowing DNS for every app, and to not add a DNS rule for svchost. Thus, as soon as svchost needs a DNS request, your firewall will display a popup (that you can choose to accept only if you do windows updates).

Finally, the most secured, but also the less usable and user-friendly, is to remove the global DNS rules (as said above), to block svchost from doing DNS requests, and to manually update Windows with Internet Explorer and Windows Update website. Updating Windows this way does not require DNS access for svchost (or services.exe under Win2K). Of course do not forget to disable the "DNS client" service before doing this, or you will be unable to browse anything as svchost will try to do all DNS requests which will be blocked.
You can even remove the HTTP and HTTPS rules if you choose this solution, you then will have to accept "once" every time you manually update your Windows. Just keep the DHCP rule if you need it.

Regards,
gkweb.