Ryan (tekman) wrote,
Ryan
tekman

How to mitigate CERT VU#800113 on OpenBSD

New poisoning attack, out early: VU#800113

If I've helped you set up an OpenBSD router, you are vulnerable.

ssh to your router and edit named.conf:

su -
emacs -nw /var/named/etc/named.conf

Modify the options {} block by adding the lines below, which will forward all queries for non-local zones to OpenDNS, who isn't vulnerable to this attack:

forward only;
forwarders { 208.67.222.222; 208.67.220.220; };

Restart named:

pkill named
named

Verify that you've fixed the issue:

ryan@belal ~ $ dig +short porttest.dns-oarc.net TXT
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"208.67.216.14 is GOOD: 26 queries in 0.6 seconds from 26 ports with std dev 17317.56"

If you see POOR instead of GOOD, you're still vulnerable.

UPDATE: xyon points out that you might need to ignore the DNS servers coming down from your ISP via DHCP. Edit /etc/dhclient.conf:

supersede domain-name-servers 127.0.0.1

Then restart dhclient:

ps aux | grep dhclient # remember the external interface like fxp0 or dc0 or whatnot
pkill dhclient
dhclient fxp0 # or whatever your external interface was

You can check to make sure it worked by looking at /etc/resolv.conf and make sure the only nameserver line is:

nameserver 127.0.0.1

UPDATE2: You'll probably want to go to www.opendns.com and sign up for an account to turn off their proxying features.

Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 3 comments