DNS man in the middle

steve

DNS man in the middle

« on: June 20, 2003, 11:31:50 PM »

there is an interesting story on slashdot
http://ask.slashdot.org/askslashdot/03/06/19/2325235.shtml?tid=126&tid=172&tid=95
that got me thinking, if this happened at my isp, would the e-smith be affected?
How does e-smith handle DNS?
does it use the DNS that my ISP gives me via DHCP?
My sme server is on a cable modem with DHCP.

oh, and sorry about the long link.

steve

Logged

Charlie Brady

Re: DNS man in the middle

« Reply #1 on: June 20, 2003, 11:42:02 PM »

steve wrote:

> if this happened at my isp, would the
> e-smith be affected?

No.

> How does e-smith handle DNS?

It resolves via lookup of the root name servers.

> does it use the DNS that my ISP gives me via DHCP?

No.

You should, of course, direct any security concerns to smesecurity@mitel.com, rather than discuss possible vulnerabilities publicly.

Charlie

Logged

steve

Re: DNS man in the middle

« Reply #2 on: June 21, 2003, 02:35:37 AM »

Sorry Charlie....(hope you caught the reference there, rofl)
in the future i will send things like this to the address you mentioned.
thanks for the reply, did not really think this is/was a vulnerability with SME
imo, i think it points to the strengths of SME, definitely an argument FOR the use of SME server. without it, i would have been vulnerable

thanks again Charlie and keep up the good work!!

stve

Logged

KeVin M

Re: DNS man in the middle

« Reply #3 on: June 22, 2003, 06:30:46 AM »

Hi

If you read the article then you will see that any system is susceptable to the attack that was discussed. It is an issue OUTSIDE the security sandbox of the SME environment and relates to the remote takeover of a remote DNS server. The end result is that an SME machine and every other user/system on trhe internet would be duped by such an attack.

The root servers do not have the lookup for every system, just pointers to a better candidate for an answer, and so on towards the end system, until the answer is found. So further down the chain the lookup would hit such a compromised system and return an incorrect lookup result.

There were two imporant things in that linked article - one is the user discovered it because he was wary of an SSH warning message for a wrong signature (good) second is he was then unable to get support from the compromised ISP, the FBI or any other institution (bad).

Kevin

Logged

Charlie Brady

Re: DNS man in the middle

« Reply #4 on: June 22, 2003, 10:49:29 PM »

KeVin M wrote:

> If you read the article then you will see that any system is
> susceptable to the attack that was discussed.

Any system is vulnerable to this attack if and only if said system uses the DNS forwarder recommendations which are provided by the compromised DHCP server. SME doesn't. Please don't spread FUD.

Charlie

Logged