Comments on: Apple in a bind over its DNS patch?

Company's dilemma may be related to a third party's DNS patch problems.

[Vegaman_Dan]

Give them time. Apple is notoriously slow in releasing any patch for vulnerabilities. This isn't anything different this time. They will get it addressed eventually. It's not a critical issue at this time.

"Apple had no comment to a request from CNET News regarding the status of a Mac OS X DNS patch.
"

Now that's the funny part of the story. Of course they won't have a comment. It's *APPLE*, they don't comment on anything. Requesting information is pointless.

[Dalkorian]

Actually, rumor has it that attack code exploiting this is out there now (Kaminsky himself posted something to the effect of "Patch. Today. Now. Yes, stay late."). I don't think we've seen any attacks yet, but it could be as short as days (maybe hours?) away. I would argue it IS a critical issue at this time. The servers need to be patched before the criminals exploit the vulnerability, otherwise all kinds of havoc is possible. The most troubling part of this is the fact that you can fix your DNS servers, but if your ISP neglects to do the same you can still be a victim of this. Like the idea of your customers being redirected to some server in Russia because someone else didn't fix their Bind servers?

There are two ways I'm aware of to check if the DNS servers you're using are vulnerable. Kaminsky has a test on his website, http://www.doxpara.com/. The other option is to either visit https://www.dns-oarc.net/oarc/services/porttest or use the DIG tool that comes with BIND to send the following query:
dig@yourdns +short porttest.dns-oarc.net TXT.

Note that if you are running purely authoritative servers (no recursion) then I *THINK* your safe.

[Dalkorian]

I posted just yesterday that attacks are days if not hours away. Guess what article I ran into this morning?

http://www.macworld.com/article/134758/2008/07/dnsattack.html?lsrc=rss_main

Looks like it's started already, just hours after my post. Notice as I pointed out that the "victim" here wasn't the one that was "attacked", it was his ISP.

It *IS* a critical issue. Patch now. I did. One machine is an AIX box, the other is running OSX 10.4. It's possible to patch without Apple's help (harder, but definitely possible - and worthwhile!).

[Dalkorian]

Yes, Apple should release an update for their Bind distro. Now. Today. No, you should NOT forward to some winblows machine (winblows doesn't play nice with true Bind, as usual, M$ bastardized it and called it ActiveDirectory but should have just named it ADHD instead). Yes, it's easy to just go get the source for Bind and build it yourself (configure, make, make install; read over the configure options to build it to install where you want it, like over Apple's vulnerable version of Bind). Yes, you NEED to do something about this (either build the patched version or forward to something secure - *nix boxes or OpenDNS). Now. Today. Stay late, put in the overtime.

Disclaimer: I believe that if you're not running a recursive server you're safe, but I'm not absolutely sure about that. It is a cache poisoning attack, which is obviously easier when a zone is fetched from other DNS servers than it is when you're authoritative for the zone and have a zone file to reference. Notice this disclaimer only applies to servers, clients are hosed until everyone is scared into fixing their DNS servers. That's why this is so important, you can fix your DNS server but if JoeBloeFishAndTackleAndInternetServiceProvider doesn't fix *HIS* server, you and/or your customers/clients can get a poisoned record from *HIM* that redirects people to the wrong sites.

[Thomas, David]

"DNS Patches cause problems ..."
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9111001&intsrc=hm_list

Seems to me, that if this is what happened at Apple, they truly were/are between a rock, and a hard place.

[Dalkorian]

Most of the BIND issues are performance related (particularly with the 9.4.X branch, I've seen other stability issues discussed on the BIND mailing list about the 9.5.X branch though). The choice is simple, a slower DNS server or an insecure one. I know which choice I'd make (in fact I already made it, updating my internal DNS servers at work to 9.4.2-P1; one is an AIX box and the other is a Mac Mini running 10.4.11).

The M$ issues can basically be ignored because M$ doesn't use BIND, they have (as usual) their own bastardized version (AD, which should stand for Attention Deficit ...) designed not to play nice with anyone else.

OSX on the other hand uses standard BIND (admittedly with a non-standard proprietary GUI) and therefore SHOULD update now. Attacks are already happening!

http://www.macworld.com/article/134758/2008/07/dnsattack.html?lsrc=rss_main

[mathue_tax]

The researchers could care less about reliability only that we're supposedly 'safe'. So, unsafe but reliable, or safe and unreliable. And to top it off these vulnerabilities would likely have never been found in the wild. Uh, Blackhats, you need to work on your public image guys. I have a vulnerably. If I shoot an arrow at a tire you could loose control of your car and crash. Therefor we must put plate armor on the side of cars to protect the tires.

[bstern2]

you have to keep in mind Open Directory and Kerberos subsystems rely on DNS and/or FDQN to resolve queries and that DNS perfomance issues that show in P1 will hit Mac os X Server VERY hard , Apple probably tested the performance during validation in lab and decided to wait on Patch 2 when the problem will be addressed .

Port randomization is nice but that won't help on high volume resolving some parts of os X Server rely on for subsystem services. Of course forwarding to Open DNS fixes the exposure issue. Tiger Server 10.4.x is not concerned if it uses NetInfo since Netinfo is not bind dependant at all but this will break partly the GUI Apple ships mac os X Server with.

Safe but underperforming does not cut it in this case.

[Dalkorian]

So you would rather good performance without safety? Attacks have started already, you know ...

http://www.macworld.com/article/134758/2008/07/dnsattack.html?lsrc=rss_main

[kelmon]

Agreed - Apple's silence on the issue is the worst part of this. Communication with your customers, particularly if they are worried, is very important.

[Vegaman_Dan]

Ask yourself, how many OS X servers out are there really out there that are handling DNS requests? When compared to the *nix, Cisco, and Windows servers out there that are already patched? This really is an obscure exposure to worry about. Yes, it should be fixed as soon as they can, but it's not like there's a lot of them out there in the first place in positions to be vulnerable. Apple can afford to wait.

[fdunn3]

All it takes is one server to poison many.

[Dalkorian]

http://www.macworld.com/article/134758/2008/07/dnsattack.html?lsrc=rss_main

No, they can't afford to wait. It's already begun.

[ittesi259]

The annoying part here is that most consumers won't understand this is a problem for Mac servers and if you aren't going through one then this isn't an issue. I don't, so all I say is I hope my ISP patched.

[Dalkorian]

You don't have to hope. You can test it yourself! Two sites you should check out ...

Kaminsky's own DNS tester: http://www.doxpara.com/

DNS-OARC's DNS tester: https://www.dns-oarc.net/oarc/services/porttest