DNS Server check message

Discussion in 'other firewalls' started by Stijnson, Jul 29, 2008.

Thread Status:
Not open for further replies.
  1. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Can anyone advise me in what I can do when I receive these messages whilst checking DNS server vulnerabilities:

    This one:

    Your name server, at 194.109.xxx.xxxxx, appears to be safe, but
    make sure the ports listed below aren't following an obvious
    pattern :)1001, :1002, :1003, or :30000, :30020,
    :30100...).Requests seen for a3d7e4e1a9fc.toorrr.com:
    194.109.21.251:57926 TXID=20325
    194.109.21.251:61320 TXID=48354
    194.109.21.251:52602 TXID=45692
    194.109.21.251:55552 TXID=34849
    194.109.21.147:4177 TXID=59681

    Or this one?:

    Your name server at 194.x.x.x, may be safe, but the
    NAT/Firewall in front of it appears to be interfering with
    its port selection policy. The difference between largest
    port and smallest port was only 24.
    Edit/Delete Message

    Checking can be done here: http://www.doxpara.com and here: https://www.dns-oarc.net/oarc/services/dnsentropy
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Hello,

    Checking and patching DNS vulnerability is not your problem. It's your ISP problem. On the same note, why don't you audit your ISP web, mail, ftp servers - or any other site for that matter?

    Let's say you get some sort of answer - bad, for this matter, considering you can correctly interpret the results? What are you going to do?

    Mrk
     
  3. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Hi Mrk. I agree with you that it is primarily my ISPs responsibility.
    But what if they are slow (or just don't care)?

    I can switch ISPs of course, but that takes some time.
    There must be something a customer can do to make sure he doesn't become a 'victim' of DNS exploits.
     
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Hello,
    And what if the root servers get exploited? What then?
    There's no effective way for someone to avoid being affected by something happening on the web - by participating in the web.
    Mrk
     
  5. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
  6. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Thanks Longboard.
    Makes a nice read -:)

    Some useful suggestions there, too.
    I also think that this may become a very big issue (if it isn't already). Let's hope all (or at least most) ISPs will fix this asap.
     
  7. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    The following are not perfect solutions but (in the words of Charlie Brown) they are "pretty perfect"...

    1- Set up you computer to use OpenDNS for your Domain Name Servers. The OpenDNS site clearly explains how to do this.

    2- When doing financial business (banking etc): (a) be sure you see the Lock symbol in the bottom right hand corner of your browser, thereby indicating you are in SSL, AND (b) use your browser to view the site's certificate

    3- It isn't quite on-topic, but I heartily recommend (a) use of Sandboxie, configured so that your browser is the ONLY app authorized to connect to the internet, AND (b) use of Firefox with the NoScript add-on

    P.S. I have heard that some folks will exit their browser and restart their browser just before doing financial business. I do not know if this is a good idea, or is merely akin to throwing salt over one's left shoulder. Hopefully someone will comment.
     
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Hello,

    As to OpenDNS or any other non-ISP solution, I know who my ISP is and what they do - and if needed, I can sue them. Not so with a 3rd paty voluntary DNS service who knows where.

    Even so, OpenDNS - and any DNS service - relies on the root servers. And if these get compromised, the entire web does.

    So, trusting OpenDNS over your ISP is just a fancy. They both have an equal chance of being vulnerable. And again, your ISP is right next door, you can do, you pay to them, they are contractually obliged to you as a customer.

    Mrk
     
  9. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    The max instances of problems (at least for now) are with cache moreso than root.

    In any event, OpenDNS passes whereas (at this moment) Time-Warner, ATT, & many other ISPs do not. If the process is A => B==> user, & A is ??, whereas B1 is good whereas B2 is ??, I think it makes sense to use B1. Why add another set of question marks into the pipeline? OpenDNS passes some meaningful tests. OP's ISP does NOT pass those tests.

    As of now, I do not know of anyone who has come up with a perfect method of protection against DNS poisoning. Even so, we should take those precautionary steps that we CAN take, instead of just bending over & grabbing our ankles.

    Hopefully, the goal here is NOT to focus on what cannot be done, & the futility of even trying. Instead, I believe & hope our goal is to discuss what CAN be done, and to help each other learn more & better ways from that starting point.
     
  10. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    If you do this, be sure to disable all their fancy mis-features which essentially break things badly.

    - Their "typo correction" stuff does a wildcard matching for non-existant domains which is a horrible idea (breaks spam filtering and anything else that expects NXDOMAIN as a DNS response when querying for unregistered domains). :mad: Additionally it will move you to their advertising-flooded search page if you type an address that can't be resolved in your browser.

    - Their shortcuts and opendns proxy feature hijacks Google - allegedly a wonderful "solution" to certain manufacturers doing the same. Ugh. o_O :gack: :thumbd:

    With all those features disabled, it is a temporary workaround until your ISP fixes their DNS server. Otherwise, I can't recommend using OpenDNS as a permanent replacement the reasons above.
     
  11. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    The problem is only caused by a targeted attack. Pointing your computer to the OpenDNS servers (which have good security policy and is not vulnerable to this problem) is a solution.

    If the root servers are targeted, we are all screwed anyway but that is a different issue.
     
  12. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    I have been doing some reading and it appears that this message is caused by my router. Apparently it has poor port randomisation (Speedtouch 780, Alcatel/Thomson). It seems it reduces the effect of applied patches.

    Does anyone have suggestions how to fix this one?
    Speedtouch/Alcatel/Thomson isn't known for its 'patching' qualities I'm afraid.
     
Loading...
Thread Status:
Not open for further replies.