Ryan (tekman) wrote,

How to mitigate CERT VU#800113 on OpenBSD

New poisoning attack, out early: VU#800113

If I've helped you set up an OpenBSD router, you are vulnerable.

ssh to your router and edit named.conf:

su -
emacs -nw /var/named/etc/named.conf

Modify the options {} block by adding the lines below, which will forward all queries for non-local zones to OpenDNS, who isn't vulnerable to this attack:

forward only;
forwarders {;; };

Restart named:

pkill named

Verify that you've fixed the issue:

ryan@belal ~ $ dig +short porttest.dns-oarc.net TXT
" is GOOD: 26 queries in 0.6 seconds from 26 ports with std dev 17317.56"

If you see POOR instead of GOOD, you're still vulnerable.

UPDATE: xyon points out that you might need to ignore the DNS servers coming down from your ISP via DHCP. Edit /etc/dhclient.conf:

supersede domain-name-servers

Then restart dhclient:

ps aux | grep dhclient # remember the external interface like fxp0 or dc0 or whatnot
pkill dhclient
dhclient fxp0 # or whatever your external interface was

You can check to make sure it worked by looking at /etc/resolv.conf and make sure the only nameserver line is:


UPDATE2: You'll probably want to go to www.opendns.com and sign up for an account to turn off their proxying features.

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded