Good reason to uses HOSTS file?

Discussion in 'other security issues & news' started by bellgamin, Jul 25, 2008.

Thread Status:
Not open for further replies.
  1. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    According to THIS article and others like it, DNS poisoning (a.k.a. pharming) is becoming rather more of a threat nowadays.

    For example, I might want to do some online banking, so I browse to (hypothetical url] mybank.com. Unbeknownst to me, the DNS that provides the IP for mybank.com is poisoned, so it sends me to a web page that looks like mybank's but instead is a black hat's site. Thus, when I enter my private information, I am giving it to a black hat -- NOT my bank.

    As to preventing such a nasty event, one method I have read about was to use my HOSTS file. That is, I add a HOSTS file entry for mybank.com that links mybank to their true IP. That way, when I seek to access mybank.com, HOSTS will do the dns job, and there will be no possibility of DNS poisoning.

    I know of just one possible disadvantage -- namely, IPs sometimes get changed. Other than that, use of HOSTS seems like it might be a good way to avoid DNS poisoning for key/private transactions.

    I request comments as to...

    1- Your views on the "HOSTS solution to DNS poisoning"
    AND/OR
    2- Other equally good (or better) solutions.
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Since the current vulnerability is widespread, it's probably best to address the DNS issue itself
    and insure that your ISP's DNS Servers have been patched.

    You can check here:

    https://www.dns-oarc.net/oarc/services/dnsentropy

    Until they are patched, an alternative solution is to use the OpenDNS servers.

    References

    DNS bug - observations
    http://isc.sans.org/diary.html?storyid=4780

    World's biggest ISPs drag feet on critical DNS patch
    http://www.theregister.co.uk/2008/07/25/isps_slow_to_patch/

    OpenDNS
    http://www.opendns.com/how/dns/turning-names-into-numbers
     
    Last edited: Jul 25, 2008
  3. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    I'm in a similar boat. :) I keep thinking that the best overall answer is getting behind a good set of DNS servers that's patched against the exploit that MS recently patched. Many websites use virtual hosting which translates to one IP address hosting several sites. IMO, a HOSTS file won't handle that very well (if at all.)

    Also, it seems that most security certificates are based on domain names, not IP addresses. So, if you go to a site based on it's IP address (in order to avoid the DNS problem), your PC can't make the proper handshake for security. Which to me seems very counterproductive...
     
  4. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,917
    Location:
    U.S.A.
    Rmus, you referenced sans.org and a couple of white papers The Achilles Heal of DNS and Security Issues with DNS offer a good background on a problem that was talked about 5 years ago, referencing data from as far back as 1995!

    I ran the test on my ISP's DNS Resolver and it appears to have POOR source port randomness [only one unique port] and GREAT transaction ID randomness [Range: 149 - 63668]. I'm glad you gave us that link because I'm going to address that issue with my ISP. Thank you for that and for OpenDNS!
     
  5. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I agree that alternative DNS servers would provide the greater protection. HOST files change far too often and are still subject to attack themselves. One thing I would advise if you are so inclined, is to set up the optional free account that comes with OpenDNS so that you have access to the Dashboard. This allows you to set blocks for certain types of attacks and types of websites like known phishing sites and malware-infested ones, among other types. Just a suggestion though, I myself just pointed my system to their servers without making an account since I don't want any blocked websites and have protection (web-scanning AV and such) against malware/phishing.
     
  6. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    @Rmus- Grrrreat links! I've used OpenDNS for quite a long while. It tests "Great" with the link you provided.

    @All- Thanks to all. I am learning a lot from this thread.
     
  7. Infinite Luta

    Infinite Luta Registered Member

    Joined:
    Mar 26, 2008
    Posts:
    19
    Location:
    Illinois, USA
    Not quite. What you mentioned is true when entering a site's IP address directly in to the web browser, but not when using a HOSTS file entry.

    The only main difference is where the domain name's IP address is resolved from. If there's a HOSTS entry for the domain, the IP is resolved locally from the hosts file rather than remotely via DNS servers (which may potentially be poisoned). Other than that, everything will be operational as long as the HOSTS entry is correct.
     
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,
    Actually, you cannot use name-based virtualhosts for security, because the authentication takes places before name translation ... so in this case ip would work - and I won't repeat my mantra about hosts file.
    Mrk
     
  9. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    I want to make sure I understand this correctly... :) A security certificate cannot be assigned to a virtual hosted site? It's required for the certifcate to be tied to a specific IP address?
     
  10. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,
    Yes it can, but IP based.
    IP's can be virtual though :) virtual devices like eth0:0 eth0:1 etc, a neat trick.
    Mrk
     
  11. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    eth0:0 eth0:1 etc?? Aren't those unique to linux?
     
  12. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,
    Don't know about Windows, but if you run a web server and you want virtual network adapters, the chances are you'll run Apache on a *nix platform.
    Mrk
     
  13. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    "I see," said the blind man. :blink: 10Q Mrk-san
     
  14. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Acknowledged, bellgamin-hoahanau :)
    Mrk
     
  15. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Another good site for checking whether your DNS server is secure is located in the top of the right-side column at the website of Dan Kaminsky, one of the discoverers of the DNS poisoning flaw. Dan's blog at that same link gives a LOT of good background info & suggestions.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Here is a comparison between using a shortcut to (e.g.) mybank.com versus using HOSTS (which I quote from another forum)...

    To check a site's certificate when using Firefox browser>>> Right-click on a blank section of the web page then click "Page Info" -- that will give security info about the page you are viewing. See screenies below.
     

    Attached Files:

  16. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Can anyone advise me in what I can do when I receive these messages whilst checking DNS server vulnerabilities:

    This one:

    Your name server, at 194.109.xxx.xxxxx, appears to be safe, but
    make sure the ports listed below aren't following an obvious
    pattern :)1001, :1002, :1003, or :30000, :30020,
    :30100...).Requests seen for a3d7e4e1a9fc.toorrr.com:
    194.109.21.251:57926 TXID=20325
    194.109.21.251:61320 TXID=48354
    194.109.21.251:52602 TXID=45692
    194.109.21.251:55552 TXID=34849
    194.109.21.147:4177 TXID=59681

    Or this one?:

    Your name server at 194.x.x.x, may be safe, but the
    NAT/Firewall in front of it appears to be interfering with
    its port selection policy. The difference between largest
    port and smallest port was only 24.
     
  17. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    I recommend that you start a new topic under the Other Firewalls category, and ask your questions there. That topical category is most often visited by folks with the know-how to answer your questions.

    For clarity, I suggest you include the link to the site with the DNS checker.
     
  18. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Thanks Bellgamin. I started a new topic in the Other Firewalls category.
     
  19. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,917
    Location:
    U.S.A.
    Well, let it be known, that my ISP, Time Warner, couldn't care less about DNS poisoning. They haven't replied to my emails for 5 days. So reach up and pull those seatbelts tight because August 7th is just around the corner!
     
  20. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,
    What's so special about august 7th?
    Mrk
     
  21. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,917
    Location:
    U.S.A.
  22. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,917
    Location:
    U.S.A.
    Last edited: Jul 30, 2008
  23. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
  24. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,917
    Location:
    U.S.A.
  25. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Someone spoiled his moments of fame.

    See LoneWolf's thread, Hackers start DNS attacks:
    https://www.wilderssecurity.com/showthread.php?t=216498

    Other threads:

    With DNS Flaw Now Public, Attack Code Imminent
    http://www.dslreports.com/forum/r20833863-With-DNS-Flaw-Now-Public-Attack-Code-Imminent

    Exploit Code for Kaminsky DNS Bug Goes Wild
    http://www.dslreports.com/forum/r20843454-Exploit-Code-for-Kaminsky-DNS-Bug-Goes-Wild

    DNS Disaster First Attacks Reported
    http://www.dslreports.com/forum/r20872206-DNS-Disaster-First-Attacks-Reported


    ---
     
Loading...
Thread Status:
Not open for further replies.