Son gunlerin dns zaafiyetine Pf(Packet Filter) cozumu

Birkac gun once detaylarina buradan -ve teknik olarak buradan-erisebileceginiz bir DNS protokolu zaafiyeti yayinlandi. Zaafiyetin kotuye kullanilmasi sonucu bu acigi barindiran (Internetin %99’u diyebiliriz) dns sunucularin cachelerinin zehirlenmesi ihtimali var.

Yukarıda verdigim adreste zaafiyet icin onerilen maddelerden biri de DNS sunucularin sorgulama yaparken rastgele kaynak port kullanmalari idi. Bildigim kadari ile DJBdns haric bunu native saglayan dns sunucu/istemci yazilimi yok.

Packet Filter gibi Nat yaparken kaynak portlari degistirebilen(cogu Firewall bunu yapar) bir Firewall kullaniyorsaniz DNS sunucunuzun udp 53 cikislarini nat yaparak cikarirsaniz kaynak port numalari rastgele secilmis olur.

Asagidaki ornekleme OpenBSD named ve PF ile gerceklenmistir.

PF ile NAT yapmadan cikis yapan bir DNS sunucudan yapilan sorgulamalar

# nslookup
> server 127.0.0.1
Default server: 127.0.0.1
Address: 127.0.0.1#53
> www.google.com
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
www.google.com canonical name = www.l.google.com.
Name: www.l.google.com
Address: 74.125.39.103
Name: www.l.google.com
Address: 74.125.39.147
Name: www.l.google.com
Address: 74.125.39.99
Name: www.l.google.com
Address: 74.125.39.104
> www.lifeoverip.net
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: www.lifeoverip.net
Address: 80.93.212.86
> set q=a
> www.huzeyfe.net
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: www.huzeyfe.net
Address: 80.93.212.86
> www.cnn.com
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: www.cnn.com
Address: 64.236.91.23
Name: www.cnn.com
Address: 64.236.16.20
Name: www.cnn.com
Address: 64.236.16.52
Name: www.cnn.com
Address: 64.236.24.12
Name: www.cnn.com
Address: 64.236.29.120
Name: www.cnn.com
Address: 64.236.91.21
> exit

Bu isteklerin cikisini tcpdump ile izledigimizde asagidaki sonuclari aliriz.

# tcpdump -ttnn udp port 53
tcpdump: listening on vic0, link-type EN10MB
1214527060.000368 192.168.2.23.26926 > 192.33.14.30.53: 52135% [1au] A? www.huzeyfe.net. (44)
(43)
1214527060.202598 192.168.2.23.26926 > 70.84.223.230.53: 26205% [1au] AAAA? jet.tekrom.com. (43)
1214527060.202728 192.168.2.23.26926 > 70.84.223.230.53: 45553% [1au] A? ns3.tekrom.com. (43)
1214527060.202918 192.168.2.23.26926 > 70.84.223.230.53: 9887% [1au] AAAA? ns3.tekrom.com. (43)
1214527060.203064 192.168.2.23.26926 > 70.84.223.230.53: 19219% [1au] A? ns4.tekrom.com. (43)
1214527060.203171 192.168.2.23.26926 > 70.84.223.230.53: 9937% [1au] AAAA? ns4.tekrom.com. (43)
1214527060.478490 70.84.223.230.53 > 192.168.2.23.26926: 23575*- 1/2/3 A 74.52.0.226 (127) (DF)
1214527060.479070 192.168.2.23.26926 > 70.84.223.226.53: 5700% [1au] A? www.huzeyfe.net. (44)
1214527060.483016 70.84.223.230.53 > 192.168.2.23.26926: 26205*- 0/1/1 (91) (DF)
1214527060.487206 70.84.223.230.53 > 192.168.2.23.26926: 45553*- 1/2/2 A 70.84.223.226 (107) (DF)
1214527060.492574 70.84.223.230.53 > 192.168.2.23.26926: 9887*- 0/1/1 (87) (DF)
1214527060.496554 70.84.223.230.53 > 192.168.2.23.26926: 19219*- 1/2/2 A 70.84.223.227 (107) (DF)
1214527060.501199 70.84.223.230.53 > 192.168.2.23.26926: 9937*- 0/1/1 (91) (DF)
1214527060.756220 70.84.223.226.53 > 192.168.2.23.26926: 5700- 0/13/1 (252) (DF)
1214527060.756753 192.168.2.23.26926 > 70.84.223.227.53: 58800% [1au] A? www.huzeyfe.net. (44)
1214527061.031910 70.84.223.227.53 > 192.168.2.23.26926: 58800- 0/13/1 (252) (DF)
1214527061.032272 192.168.2.23.26926 > 74.52.0.226.53: 54605% [1au] A? www.huzeyfe.net. (44)
1214527061.309713 74.52.0.226.53 > 192.168.2.23.26926: 54605*- 1/2/3 A 80.93.212.86 (138) (DF)
1214527081.550135 192.168.2.23.26926 > 192.26.92.30.53: 48697% [1au] A? www.cnn.com. (40)
1214527081.694272 192.26.92.30.53 > 192.168.2.23.26926: 48697- 0/4/5 (203) (DF)
1214527081.695022 192.168.2.23.26926 > 205.188.146.88.53: 10679% [1au] A? www.cnn.com. (40)
1214527081.851653 205.188.146.88.53 > 192.168.2.23.26926: 10679- 0/2/3 (123) (DF)

Dikkat edilecek olursa tum dns istekleri ayni kaynak porttan cikiyor…

Packet Filter ile cikis yonundeki UDP 53 ler icin NAT islemi uyguladiktan sonra ayni islemleri tekrarlayalim

Sorgulamalar

# nslookup
> server 127.0.0.1
Default server: 127.0.0.1
Address: 127.0.0.1#53
> set query=a
> www.lifeoverip.net
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: www.lifeoverip.net
Address: 80.93.212.86
> www.linux.com
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
www.linux.com canonical name = linux.com.
Name: linux.com
Address: 216.34.181.51
> www.fazlamesai.net
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: www.fazlamesai.net
Address: 82.222.181.125
> netsec.lifeoverip.net
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: netsec.lifeoverip.net
Address: 80.93.212.86

Sorgualamarin tcpdump ciktisi

# tcpdump -ttnn udp port 53
tcpdump: listening on vic0, link-type EN10MB
1214527500.423316 192.168.2.23.55819 > 192.42.93.30.53: 15093% [1au] A? www.linux.com. (42)
1214527500.692729 192.42.93.30.53 > 192.168.2.23.55819: 15093- 0/3/4 (168) (DF)
1214527500.694008 192.168.2.23.63085 > 12.31.165.79.53: 8055% [1au] A? www.linux.com. (42)
1214527500.991152 12.31.165.79.53 > 192.168.2.23.63085: 8055*- 2/0/0 CNAME linux.com., (61) (DF)
1214527500.995350 192.168.2.23.60810 > 216.34.181.21.53: 732% [1au] A? linux.com. (38)
1214527501.165336 216.34.181.21.53 > 192.168.2.23.60810: 732*- 1/0/0 A 216.34.181.51 (43) (DF)
1214527515.105501 192.168.2.23.63168 > 192.54.112.30.53: 38190% [1au] A? www.fazlamesai.net. (47)
1214527515.176086 192.54.112.30.53 > 192.168.2.23.63168: 38190- 0/2/1 (97) (DF)
1214527515.177442 192.168.2.23.52894 > 199.19.57.1.53: 13823% [1au] A? ns1.fazlamesai.org. (47)
1214527515.177701 192.168.2.23.52894 > 199.19.57.1.53: 63052% [1au] AAAA? ns1.fazlamesai.org. (47)
1214527515.177963 192.168.2.23.52894 > 199.19.57.1.53: 52497% [1au] A? ns2.fazlamesai.org. (47)
1214527515.178148 192.168.2.23.52894 > 199.19.57.1.53: 19103% [1au] AAAA? ns2.fazlamesai.org. (47)
1214527515.251261 199.19.57.1.53 > 192.168.2.23.52894: 13823- 0/2/3 (111) (DF)
1214527515.251972 192.168.2.23.57625 > 195.33.233.59.53: 64528% [1au] A? ns1.fazlamesai.org. (47)
1214527515.256090 199.19.57.1.53 > 192.168.2.23.52894: 63052- 0/2/3 (111) (DF)
1214527515.256721 192.168.2.23.57625 > 195.33.233.59.53: 19139% [1au] AAAA? ns1.fazlamesai.org. (47)
1214527515.260952 199.19.57.1.53 > 192.168.2.23.52894: 52497- 0/2/3 (111) (DF)
1214527515.261360 192.168.2.23.57625 > 195.33.233.59.53: 2367% [1au] A? ns2.fazlamesai.org. (47)
1214527515.265682 199.19.57.1.53 > 192.168.2.23.52894: 19103- 0/2/3 (111) (DF)
1214527515.266223 192.168.2.23.57625 > 195.33.233.59.53: 19193% [1au] AAAA? ns2.fazlamesai.org. (47)
1214527515.695411 192.168.2.23.57625 > 195.33.233.59.53: 22141% [1au] A? www.fazlamesai.net. (47)
1214527515.764586 192.168.2.23.61756 > 82.222.181.125.53: 51328% [1au] A? ns1.fazlamesai.org. (47)
1214527515.764749 192.168.2.23.61756 > 82.222.181.125.53: 60964% [1au] AAAA? ns1.fazlamesai.org. (47)
1214527515.764895 192.168.2.23.61756 > 82.222.181.125.53: 48058% [1au] A? ns2.fazlamesai.org. (47)
1214527515.779404 82.222.181.125.53 > 192.168.2.23.61756: 51328* 1/2/2 A 82.222.181.125 (111) (DF)
1214527515.779909 192.168.2.23.61756 > 82.222.181.125.53: 11798% [1au] AAAA? ns2.fazlamesai.org. (47)
1214527515.785161 82.222.181.125.53 > 192.168.2.23.61756: 60964* 0/1/1 (94) (DF)
1214527515.789313 82.222.181.125.53 > 192.168.2.23.61756: 48058* 1/2/2 A 212.175.237.162 (111) (DF)
1214527515.794834 82.222.181.125.53 > 192.168.2.23.61756: 11798* 0/1/1 (98) (DF)
1214527516.215004 192.168.2.23.61756 > 82.222.181.125.53: 54317% [1au] A? www.fazlamesai.net. (47)
1214527516.228870 82.222.181.125.53 > 192.168.2.23.61756: 54317* 1/2/3 A 82.222.181.125 (145) (DF)
1214527540.838462 192.168.2.23.62275 > 70.84.223.227.53: 2944% [1au] A? netsec.lifeoverip.net. (50)
1214527541.105514 70.84.223.227.53 > 192.168.2.23.62275: 2944*- 1/2/3 A[|domain] (DF)

Gorulecegi uzere nat yapinca kaynak portlar rastgele olarak degisiyor…

Ek:

http://blogs.iss.net/archive/morednsnat.html

https://www.dns-oarc.net/

This entry was posted in DNS. Bookmark the permalink.

4 Responses to Son gunlerin dns zaafiyetine Pf(Packet Filter) cozumu

  1. Müslüm says:

    Merhaba Hüzeyfe;
    Bunu CheckPoint te sadece çıkışlara Nat yapmakla giderilebiliyormu.
    CheckPoint için Nasıl Yapılacagına dair bilgi verebilirmisin.

  2. Huzeyfe ONAL says:

    Smartdefense(Checkpoint)de udp icin kaynak portlarin rastgele secimi icin bir ayar var fakat kisisel tecrubelerime dayanarak bu tip isler icin “kesinlikle” SmartDefense’in kullanilmamasini oneririm. Bir seyi yaparken baska seyleri bozduguna cokca sahit olmusumdur.

  3. Pingback: DNS Cache Poisoning | Blogsal Mevzular

  4. Pingback: DNS Cache Poisoning « M.Ufuk TATLIDIL

Leave a Reply

Your email address will not be published. Required fields are marked *

3 + 18 =