[TAG] (forw) Re: [conspire] DNS vulnerability details

Rick Moen rick at linuxmafia.com
Wed Aug 6 09:36:56 MSD 2008 

Quoting Kapil Hari Paranjape (kapil at imsc.res.in):

> o  Your Debian and MacOS boxes -- being TCP/IP-capable -- have DNS 
> >    resolver libraries (DNS clients).  Neither of those OSes' libraries
> >    is particularly competent at randomising their UDP ports on outgoing 
> >    DNS queries whose recursive bits are set, _but_ results received 
> >    back are not cached.  So, there's very little payoff to a theoretical
> >    attacker from sending them forged responses with cache-poisoning data 
> >    -- there being no cache to poison.  Get it?
 
> While this is generally true, I am a bit worried about systems where
> one runs "nscd". (For those not in the know, "nscd=name service
> caching daemon" which caches a number of things for the libc resolver
> stub.) Does "nscd" aggravate the problem?

Yes, it absolutely does.  (In separate parts of discussion of this issue
on various threads, I _did_ footnote my comments to say "This of course
is not true if the local system is caching DNS hosts data using nscd.")

> I know your response is likely to be "Do not run this little horror!"
> but it seems to be required if one is running NIS. Of course, the
> next question would be why one is running NIS in 2008!

Hosts on NIS, NIS+, or LDAP-based networks all tend to run nscd -- and
there are a lot of legacy NIS-type networks out there, not to mention
new deployments using LDAP directory services.  It's a standard part of
such configurations because it caches a great deal more than just
hostnames (users, groups, services, RPC service ports, netgroups, etc.).

Long before this current DNS affair, though, it's been my strong
recommendation that such users carefully disable nscd's caching of hosts
data, in /etc/nscd.conf .  For one thing, all versions of nscd for Linux
through the present day ignore TTL (time to live) on cached DNS hostname
data.  In other words, its caching of such data is brain-dead.  (I am
told that this bug is soon to be fixed.)

I can tell you from experience, even on LANs with very heavy NIS/NFS
activity, disabling that caching does not noticeably impair performance.
And, of course, if you want to have local DNS caching, nothing prevents
you doing so by running a genuine caching recursive-resolver daemon
alongside nscd.

More information about the TAG mailing list