Securing DNS on OSX

It’s been a few weeks since [Dan Kaminsky] announced the nature of the DNS vulnerability and allowed 30 days of non-disclosure for patches to be applied before details of the exploit went public. Unfortunately, the details were leaked early and it didn’t take long for a functional exploit to be released into the wild. Since then, many ISPs have taken steps to prevent their users from falling victim to the attack, and BIND, the widely-used DNS protocol implementation, was updated to minimize the threat. Even then, there were reports of a version of the attack being actively used on AT&T’s DNS servers.

Mac OSX uses a BIND implementation but as of yet, Apple has not released a patch updating the system (Microsoft, on the other hand, patched this up on July 8). As a result, machines running OSX are at risk of being exploited. Individual users are less likely to be targeted, since the attacks are directed towards servers, but it’s not a smart idea to leave this vulnerability open. [Glenn Fleishman] has published a way to update BIND on OSX manually, rather than waiting on Apple to patch it themselves. It requires Xcode and a bit of terminal work, but it’s a relatively painless update. When we tried it, the “make test” step skipped a few tests and told us to run “bin/tests/system/ up”. That allowed us to re-run the tests and continue the update without further interruption. [Fleischman] warns that people who manually update BIND may break the official update, but he will update his instructions when it happens with any possible workarounds. Unfortunately, this fix only works for 10.5 but alternative, yet less effective methods may work for 10.4 and earlier.

If you’d like to know if your preferred DNS servers are vulnerable or not, you can use the DNS checker tool from Doxpara. As an alternative to your ISP’s DNS servers, you can use OpenDNS, which many prefer for its security features and configuration options.

Malware alters DNS data on routers

The Zlob trojan, also known as DNSChanger, has been around for a few years, but recent Zlob variants to appear in the wild attempt to log into routers using a list of default admin/password combos. If they succeed, they alter the DNS records on the router to reroute traffic through the attacker’s server.

Our friend [Dan Kaminisky] recently did a presentation warning against vulnerabilities in internet browser plugins that allow attackers to mount DNS rebinding attacks against routers with default passwords.. Though it achieves the same end, Zlob is different because it infects by the tried-and-true method of fooling users into downloading it inside a fake video codec. Once it is running on a client machine, it is free to attempt to use the default admin id and password of the router to log in and alter DNS settings. It even supports the DD-WRT firmware.

Even if a system is wiped clean of Zlob trojans, the router could still be compromised. The good news is that it is easy to fix and even easier to prevent. Fixing it takes no more than wiping all network clients clean, then resetting the router and restoring custom settings. Prevention is a simple matter of changing the router’s password.

[photo: fbz]