» DNS - Roger's Information Security Blog

Posts tagged ‘DNS’

SPF Usefulness

May 31, 2010, 9:36 pm

The SANS ISC Handler Diary is asking for your experiences with SPF. Its funny timing because i just configured SPF for my domains last night. I’d been using SPF records previously, but when I left PowWeb for Dreamhost (which changed my authoritative DNS server) I didn’t set up SPF again.

I’m using Google as the mail server for my personal domains. Configuring SPF for google is pretty easy. Just create a txt record for v=spf1 include:_spf.google.com ~all. Like most SPF implementations, they recommend you use “~all” which tells the remote server the list of authoritative servers is merely information and not to reject mail based on this alone. I kind of wonder what use that is. But it seems to take more guts to use a “-all”.

To me, SPF is not exceptionally useful. It just seems like the only thing you can do to prevent yourself from being Joe Jobbed. Sadly through the years remote mail servers are more likely to allow backscatter than use SPF.
At the same time, its never shot me in the foot. ~all instead of -all is probably to thank. I have seen Hotmail headers that indicated that if I was using -all they would have blocked me. They just had a screwed up implementation that couldn’t handle “include” statements in SPF records. SPF is not well liked by *nix folk. It breaks .forward. It breakes mailing lists that send as the message poster.

Tags: DNS, Google, SANS, SPF
Category: Spam | Comment

OpenDNS SmartCache

April 29, 2009, 8:19 pm

OpenDNS blogged about a new feature called SmartCache
If you ask for a DNS resolution, and it can’t contact the authoritative DNS server or the server returns a SERVFAIL they will respond with the last known good IP address. They dub this “one of the most significant DNS innovations of the last 25 years.” It is a opt-in setting.
Hmmm.

Tags: DNS
Category: General | Comment

Virus Alerts and SEP 11 MR4

February 16, 2009, 1:06 pm

Since upgrading from SEP11 MR2 to MR4, my virus alert email to admins no longer works.
As a side note, SEP11 has never allowed me to include the path and file name in the virus notifications. They did allow that in SAV10 and earlier. This is a big step back.
Before the upgrade, the email was sent as system@servername. I believe my mailserver was helpfully making the servername fully qualified. The mail had no issues.
Since upgrading, the notifications are no longer getting through. According to the Symantec Knowledgebase, they did this on purpose.

As of SEP 11.0 Maintenance Release 3 (MR 3), a “.com” suffix has been addred (sic) to the “From:” address used by SEPM (SYSTEM@computer_name.com) which should help reduce rejections by the mail server.

Help reduce rejections? Help reduce rejections! How does sending mail as system@servername.com help? That is guaranteed to be rejected by anyone who verifies the sender is a valid domain name.
I’ve opened a case with support asking for them to fix this.
Symantec does not allow you to configure your own sender address in SEP11. They suggest you lower the security posture of your mail server by accepting email regardless of how invalid the From address is. Validating the envelope from domain is a common, easy antispam technique. I dont want to change it.
Looks like I need to add %Server_Name%.com to my internal DNS as a temporary workaround.
Another “improvement” in MR4.
UPDATE 2/17/09
See the comments, there is a way to do this afterall. I’ve asked Symantec to update the KB I referenced.

Tags: DNS, eMail, SEP, Spam, Symantec
Category: Antivirus | 3 Comments

CheckFree Attack

December 7, 2008, 11:35 am

Brian Krebs reports on a attack on CheckFree in todays Security Fix blog.
It looks like someone used phishing to get credentials for their Network Solutions account. Brian says “This may seem like a logical stretch, and perhaps it is.” I dont know about that. If they just phished the email address in the whois record they would probably get the right person.
Once they had the login credentials it was a quick update to change the authoritative DNS servers and redirect users to a malicious server.
Avivah Litan, a fraud analyst with Gartner seems to think that other (unnamed) security mechanisms should be in place besides username and password. “If all that’s protecting a bank’s Web site is a user name and password, that’s kind of like having a massive vulnerability in the core of the Internet,”
I’m not sure the solution is some call back mechanism where NetSol verifies the change request. Why is a user name and password supposed to be good enough to protect my stuff but not theirs.
I noticed that as of this morning CheckFree.com now shows clientUpdateProhibited in the whois record. I dont know enough about that to know if its a solution. The RFC says it means “ignore all updates except to turn off clientUpdate Prohibited”. That doesn’t sound like much defense.
While it is a reactive defense, it doesn’t cost much to monitor your domains so you are alerted about DNS errors and changes.
Also if Network Solutions had emailed a change alert to the address of record this could have been caught earlier as well.
To me the bottom line is personnel need to be trained not to fall for phishing attacks.

Tags: Brian Krebs, DNS, eMail, Passwords, Phishing
Category: General | Comment

DNS Inkblot test

July 20, 2008, 1:25 pm

So Donna thinks that PC World is a victim of DNS Cache Poisoning.
What is the attack here? pcworld.com DNS resolves to 70.42.185.10 which according to an IPWHOIS is their IP address.
So what if removespyware.ru resolves to the same address. Unless they can modify the routing, I dont see what they’ve accomplished other than getting Donna to add the IP the Outpost firewall blacklist while invoking the name Dan Kaminsky.
If a site “malware.r.us” has a reputation for serving malware, and they change their DNS to resolve that URL to my website, why should my website be blocked. The biggest security problem here is the denial of service instigated by the Outpost personal firewall against a innocent website.
I guess when you’re looking for a DNS cache poisoning attack, everything looks like a DNS cache poisoning attack.

Tags: AntiSpyware, DNS
Category: General | Comment

Verizon on DNS Vuln: Don’t Panic

July 16, 2008, 10:51 am

I’ve seen more than a handful of snarky posts linking results from http://www.doxpara.com’s DNS tester and complaining that their ISP is still vulnerable to DNS attack mere days after the patches were released.
The Verizon Business Security Blog has some good comments and reports they have recommended to their customers to patch within 30 days.

Tags: DNS
Category: General | Comment

Iconix Phishing Protection

June 9, 2008, 9:18 pm

A couple days ago I received email from Paypal titled “New PayPal Plug-In – Shop anywhere online.” That struck me as kind of suspicious so I looked at the mail headers. The headers showed the message did originate with Paypal’s servers, and more importantly it contained a domain key (DKIM). According to Wikipedia, “DomainKeys is an e-mail authentication system designed to verify the DNS domain of an e-mail sender and the message integrity” through the use of a cryptographic hash.
If I had to dive into the headers to determine the message validity, how would the normal user do? Are there mail clients that would have automatically verified DomainKeys and SPF for me?
A quick Google found a product called Iconix. Iconix works with Outlook, Outlook Express and a bunch of webmail providers (No Thunderbird support) to take the guesswork out of which messages are real.
Once installed, Iconix looks at SPF/SenderID and DomainKeys to determine message authenticity. Next it looks at message identification- this is a list of companies that have paid Iconix and registered with them. If both are verified, then the message’s “display From” will be altered to present a logo of the sending organizations choosing. This allows recipients to tell at a glance that the message is from who it says it is.
Iconix at first appeared to be a great solution. Its been reviewed in several trade publications. I didn’t immediately find anyone disparaging them online. Iconix is installed software. As such you do wonder a bit about privacy and security implications. Their FAQ does say that the sender’s email address is sent to Iconix.
The problem is that they only provide this service for the companies that have signed up. I would expect that they could validate the DomainKeys or SPF for anyone using those email technologies. While this product does solve my original question, “how can ma and pa kettle obtain a reasonable level of trust in email”, it only does so for companies that have paid Iconix. That is an extensive list, and it provides better assurance that SPF and DomainKeys alone could.
While Iconix is not available for Thunderbird, there are other solutions that plugin to Thunderbird for SPF and DomainKey validation.
- update – 6/11 – fixed above where I refered to Firefox when I meant Thunderbird. Firefox can be used just like IE in conjunction with Iconix at many webmail providers.

Tags: DNS, DomainKeys, eMail, Firefox, Google, Phishing, SPF
Category: Spam | 2 Comments

Grandcentral.com badness

May 20, 2008, 11:13 pm

looks like someone forgot to renew grandcentral.com. doh!

http://www.iptools.com/dnstools.php?tool=whois&user_data=grandcentral.com

Domain Name: GRANDCENTRAL.COM
Registrar: EASYDNS TECHNOLOGIES, INC.
Whois Server: whois.easydns.com
Referral URL: http://www.easydns.com
Name Server: NS1.EASYDNS.COM
Name Server: NS2.EASYDNS.COM
Name Server: NS6.EASYDNS.NET
Name Server: REMOTE1.EASYDNS.COM
Name Server: REMOTE2.EASYDNS.COM
Status: clientHold Updated Date: 20-may-2008
Creation Date: 19-may-1997
Expiration Date: 20-may-2008

Tags: DNS
Category: Offtopic | 2 Comments

The spam filter has run amok

January 12, 2008, 10:58 pm

My MovableType spam defenses have kind of run amok. It was letting through a ton of spam which led me to disable anonymous comments. For its next trick it decided to trash valid comments.
The first method used for trashing valid comments was a rule that http:// shouldn’t appear in the commenter’s name field. That wasn’t a problem until openID. The crappy OpenID plugin I’m using doesn’t put the OpenID displayname in the name field. Instead it pulls a URL including the name and the server. A quick tweak to the ruleset fixed that problem.
The next issue I found was when my own comments were getting blocked (when using a test account not my regular comment account which is set up as a trusted commenter). The Spamhaus zen filter was blocking me. Back in July, MovableType reported that one of the old blocklists was going away and they recommended using zen.spamhaus.org instead. Since I like spamhaus I accepted that recommendation uncritically. Now I find out that “ZEN is the combination of all Spamhaus DNSBLs into one single powerful and comprehensive blocklist to make querying faster and simpler. It contains the SBL, the XBL and the PBL blocklist”. The problem is the PBL is he policy block list. Its like the DUL. Its designed to prevent end users from sending mail directly to recipient mail servers. They should go through the ISP mail server. That is not the sort of list you should be using with HTTP. Endpoint computer should be browsing directly to my website and making comments.
A better Spamhaus list to use is the XBL. Be aware however that according to Spamhaus, “The XBL contains mostly dynamic IP addresses, meaning the user you would be blocking is probably not going to be the user with the exploited computer. Please do not block innocent users.”
You’re probably better off forcing the user to prove they are human with a Captcha rather than using (misusing) block lists.

Tags: DNS, Spam
Category: Housekeeping, Spam | Comment

AIM in Google Talk

December 5, 2007, 9:21 pm

Google has added AIM to Google Talk. For companies like mine, I’m not sure this is a good thing. We implemented IM security after one too many people got infected and the helpdesk was flooded with calls as their computer sent IMs to everyone in their buddy list. For other companies is a compliance issue rather than a security issue. They need to have IM logs.
Its pretty easy to protect the public IM clients using business solutions from Symantec, Akonix or Facetime. IM over HTTP is another matter. Google has always made it tough to block their GTalk over HTTP by integrating it with Google Mail. I haven’t yet heard of a way to block Google Talk without blocking Google Mail. Now they’ve added in AIM to the mix.
update
you can actually block google talk in gmail http://mail.google.com/support/bin/answer.py?hl=en&answer=34330 In DNS point chatenabled.mail.google.com to 127.0.0.1.

Tags: AIM, DNS, Google, Symantec
Category: General | Comment

Roger's Information Security Blog