DNS cache poisoning, 4004

Similar Messages

• DNS Cache Poisoning Signature

  Is there a signature available for the new Bind 9 DNS Cache Poisoning vulnerability/exploit.
  See reference
  http://www.securityfocus.com/bid/25037/info

  From our research on the subject, we do not believe a high-fidelity signature can be created to detect this attack. The nature of the traffic used in the attack is legitimate and as a successful attack requires some guess-work and timing, there are too many variables to detect any sort of pattern in the traffic used. The initial part of the attack occurs when a user accesses a malicious link. Standard user training should mitigate this vector if users avoid accessing unsolicited links. Updates are also available to patch systems. For more information, please see Intellishield alert number 13831:
  https://intellishield.cisco.com/security/alertmanager/basicSearch.do?dispatch=1&UID=13831
  We will continue to monitor the situation regarding this vulnerability and take appropriate action when necessary.

• WRT54G and CVE-2008-1447 (DNS cache poisoning vulnerability)

  Is the WRTG54 affected by the DNS cache poisoning vulnerability described in CVE-2008-1447 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447)?
  If so, can we expect a patch, and when? Are there any steps we can do to protect ourselves from attack in the meanwhile?
  Many thanks,
  RogerB

  No, I have an acceptable external DNS provider.
  Both my XP and Debian PCs required software updates for CVE-2008-1447 according to the Microsoft and Debian websites. This suggests that the router may need similar attention, particularly as it resolves hostnames to IP addresses for me on my home network. For all I know, it may even be based on Debian (I know that routers include GPL software which requires Linksys to publish several megabytes of GPL code).
  To rephrase my question, does the firmware on the WRT54G include programs such as BIND9, which are affected by CVE-2008-1447? If so, when can we expect an update for the firmware which includes fixes for any such programs?
  As a follow on question, if the firmware does require updating, are there any settings that I can change, or actions that I can avoid, to ensure my home network remains safe from a DNS cache poisoning attack in the meantime?
  Many thanks,
  RogerB

• DNS cache poisoning flaw

  see: http://www.computerworld.com/action/article.do?command= viewArticleBasic&articleId=9108378&intsrc=news_ts_head There are pleny of other articles out there, too... Is this (or are other) router(s) affected in any way by this? I mean, is there DNS software that needs patching? And if so, when might it be available? Apologies if this is a particularly ignorant question. I'm not too bad with a PC generally, but when it comes to networking, I'm just not too bright. TIA. Take care, and peace.

  I ran the DNS test (http://www.doxpara.com/?p=1176), on the website of the person who discovered this security hole, and the test indicates that while my ISP has fixed their DNS, my Linksys wireless router (WRT54G) is compromised. Specifically, the test reports:
  Your name server, at 68.238.128.37, may be safe, but the NAT/Firewall in front of it appears to be interfering with its port selection policy. The difference between largest port and smallest port was only 50.
  I have been unable to located any information on the Linksys site that indicates a plan to release new firmware for Linksys routers. The only links I have found point to Cisco, where the plan is to fix their "heavy iron" routers.
  Can someone from Linksys comment on plans to fix the Linksys router firmware base?

• ARP Cache Poison reported in Norton AntiVirus for Mac

  The MAC address from my new gen Apple TV is being tagged from Norton Antivirus as sending an ARP Cache Poison. Anything to care about, folks?

  DNS cache poisoning affects certain versions of named and is used by miscreants to redirect access requests to sites they control. It's likely that the warning you're receiving is a false alarm, but it could be valid if either your computer or your ATV has been compromised.
  Check Norton's web site or contact their technical support to be sure. It's not a warning I would simply ignore, as it would indicate a serious security breach if it's valid.

• Clear DNS cache

  How can I clear the DNS cache?
  When I configure my webserver and change the records, I have to wait the time configured in the ttl of the specific record. I know, that I can change the ttl to a lower value, but the default value is 3 hours, so i have to wait until the time's up.
  I checked the DNS records with dig (from dnsutils). dig also shows the remaining seconds until the next refresh (dns server request). And here's my question: How can I refresh it manually? (tried a lot from the internet, but nothing helped)
  Thank you guys!
  Last edited by gummiflummi (2014-12-16 20:41:53)

  brebs wrote:Woah right there. Why do you need to *change* the records? Shouldn't happen often.
  Other than the answer stated (to test DNS settings), you might want to change records for a (self-hosted) DynDNS service. If you want a device to updated its DNS entries while being connected to a shaky cellular network, those changes might occur frequently with changing IPs.
  To the original poster: You should always set the TTL to a reasonable setting. If you didn't change the record for the last two years, then maybe a TTL of several hours (or even a day) might be OK. If you want to be able to react more quickly to emergency situations, set it lower. For a DynDNS service, TTLs below a minute might be appropriate.
  If you want to test your DNS Server, you can always query it directly (bypassing your ISP's DNS servers) with a command like this (where 1.2.3.4 is the IP of your nameserver):
  dig @1.2.3.4 your.entry.example.com
  This will usually show you the new settings right after changing.

• Possible DNS caching problem

  I just upgraded to Lion. I am a web deveoper and I just changed the DNS settings for a new website. While everyone else in my office is seeing the new wesite at the domain, I am stuck seeing the old. I have tried the DNS cache flushing techniques below (in addition to restarting, clearing cache, etc), but none have helped:
  sudo killall -HUP mDNSResponder
  dscachutil -flushcache
  In the terminal 'host domain.com' still points to the old server too.
  Seems like OSX is holding on to the old DNS settings. Any ideas?

  Select  ▹ System Preferences ▹ Network ▹ Advanced ▹ Proxies. If any boxes are checked, uncheck them, apply your changes, and try again.  You must apply the changes before they take effect.

• How to Flush DNS Cache in Mavericks 10.9.3

  So I have seen references to the following when searching for a cmd to flush DNS
  sudo killall -HUP mDNSResponder and sudo dscacheutil -flushcache
  Which one is proper for Mavericks 10.9.3?

  Mountain Lion, but should be applicable to Mavericks.
  DNS cache - Reset

• Flushing the DNS cache

  I'm having trouble with a Web site when I access it on my home computer, yet this same site looks fine on my Mini at work. One section of the index page generates a "can't find server" error, and the site's own logo won't display properly. It is a free hosting site. Sometimes I can upload files to it, other times I get a can't-find-server error when I try.
  In answer to my query about this (to which I helpfully attached a screenshot of the incompletely loaded index page and its error messages), the host is telling me that I should "flush my DNS cache," which they say involves going into Terminal and giving the command "ookupd -flushcache" [sic]. (I've already surfed this briefly and the first result confirmed my suspicion that this doofus hasn't mastered copy-and-paste technique and the command actually should be "lookupd- flushcache".)
  It's not just that their site doesn't load fully, though. They have some stuff on one of their pages that they encourage users to hotlink on personal Web sites, and I have done that with one of their banners. The banner, which was fine for months, now appears on my page as a broken icon, too, although it, like the site's home page, loads fine on my computer at work.
  My first question is, is there any harm in flushing the DNS cache? The OS Daily page where I think they copied this advice from makes it sound like this is something only a Web server would need. If I do it on my home machine, could it cause problems? Could it disable my Internet connectivity?
  Second, less urgent question, more for the netgeeks out there: Do you think this is a likely solution to my problem? Especially considering that the problem involves not only their site but an element on an external site linking back to them? I hate to play the sucker for some low-level geek whose main mission is to deflect my query.
  Thanks
  Kathi

  Kathi--
  Like BDAqua says, there's nothing to worry about flushing the DNS cache. It's true that most people probably don't need to do it very often, but it's something easy and harmless to try, and it might well fix problems like yours.
  One handy feature of Safari, even if you don't use it for anything else, is the "Activity" window. Open it from the "View" menu, and watch as your page loads. You can see exactly which components on the page are loading, which aren't and where they should be coming from. If you double-click an element in that list, Safari will try to open it in a new window. That is sometimes enough to give a clue as to why something isn't working.
  You can use Safari's activity list along with the Network Utility from your Utilities folder to try to figure out why you're not getting the page elements. Suppose a graphic is listed as coming from http://www.server1.com/images/logo.jpg, but it's not loading.
  First thing I would try in the Network Utility is to see if it will respond to pings. From that example, enter "www.server1.com" on the "Ping" page of the Network Utility and see if it answers back.
  To find out if it's a DNS problem, you can use Safari's list to get the addresses of the problem elements, then see if the IP addresses match up on your computer at home to the one at work. If they don't, then it could be stale DNS.
  You can use the Network Utility for DNS lookups, but I think they're hard to read, and, since you're already thinking about using the Terminal to flush the DNS cache, you can use nslookup. It's really simple:
  <pre class="command">nslookup www.apple.com</pre>
  Will give you something like this (the first two lines will likely be different):
  Server: 208.67.222.222
  Address: 208.67.222.222#53
  Non-authoritative answer:
  www.apple.com canonical name = www.apple.com.akadns.net.
  Name: www.apple.com.akadns.net
  Address: 17.251.200.32
  If the addresses don't match, or you get a message that it can't find anything for your server, then you know it's a DNS problem. Perhaps they've changed some addresses and your home ISP's DNS servers themselves aren't updating.
  You can even use nslookup to see what different DNS servers say about an address. Just add the IP address of a DNS server after the address you want to look up:
  <pre class="command">nslookup www.apple.com 208.67.220.220</pre>
  Just do a search on the 'net for free DNS servers, and you'll find a bunch to choose from.
  charlie

• How can I clear the DNS cache?

  I haven't been able to connect to my local Library since January.  When I key in the URL, it starts the access routine and then after about 20 minutes, I have to kill it because nothing happens.  I contacted the IT folks at the library and was told that they had made a few changes around the time my problem began so maybe the DNS cache was still pointing at the old info.  He recommended that I enter TERMINAL mode and try to clear the DNS cache, using  "sudo dscacheutil -flushcache" command.   .  I attempted this several times, even changing my applid password, and kept getting invalid responses.

  I did try that and after a few trys it finally worked.  It took quite awhile for the window for the library to finally come up, but it did and I am now able to get in and out with no problems with my library access.  Now when I call up my bank, parts of it don't come up and it kicks me out.  Now, I'll have to search for what fixes that - as it has happened before, so I know it's fixable.  Thanks for you help though.

• ARP cache poison

  i hope that this is the correct forum, apologies if it is not.
  I constantly get a Norton "vulnerability blocked" notification because of ARP cache poison. I am assuming that this is a function of my OS, if not I will contact Symantec. Does anyone know how to get rid of this annoyance short of disabling Norton?

  Remove Norton. It's a known troublemaker on Macs and there's very little for it to find - no viruses and only a few easy-to-avoid trojans. See my [Mac Virus guide|http://www.reedcorner.net/thomas/guides/macvirus> for more information.
  If you're worried about your security on the network against hackers, make sure your machine is hidden behind a router. If you're using a wireless network, you're already hidden behind a router, but make sure you're using WPA encryption on that network with a good password.

• ARP cache poisoning detection disabled

  I recently checked all the messages in the console and found the following error message: Could not enable ARP cache poisoning detection. Your computer will not be protected. This message is logged every time I turn on the computer. I am assuming this problem started when I upgraded to Mac OS 10.5.6 since I have never seen this message before and it does not appear on my other machine that is still on Mac OS 10.5.5. Is anyone else getting this message?? Is there any way to resolve this issue so that my computer will be protected? Is Apple aware of this problem and is perhaps working on a fix??

  Do a google search for *'ARP cache poisoning detection'* and read the various hits.

• ARP cache poisoning error

  Hi all,
  I've googled and searched these discussions, but I can't find any pertinent info on this topic, so here's my question...
  While looking into another issue, I noticed that my system.log had logged an error that concerned me:
  *"Aug 4 12:03:52 localhost kernel[0]: Could not enable ARP cache poisoning detection. Your computer will not be protected."*
  This message appears to only be logged on startup, and has been logged numerous times.
  Does anyone know why this protection is disabled, and how I can re-enable it, if that's even possible (or necessary)?
  Thanks!

  Do a google search for *'ARP cache poisoning detection'* and read the various hits.

• ARP Cache Poison behavior by Apple TV

  Norton Anti-Virus reports blocking an ARP Cache Poison attack against my home network.  The reported source of the attack is the MAC number of the Apple TV on the network.
  Whether Norton is "reliable" is apparently contentious in the support community.  Several authors suggest, with authority, disabling Norton or the particular attack profile.
  Whether that makes sense depends on what the Apple TV is innocently doing to be profiled as a network attack. 
  Even when supposedly "asleep" the Apple TV is doing something that meets the profile of an ARP Cache Poison attack.  It did it every 30 minutes today, nine times yesterday, about 30 times day before and etc. 
  And if it is a design feature of the device, why is the device still performing despite having the activity continously blocked?  What is the purpose of this attack-like activity, assuming it is not an attack?  If it is an attack, how does one erase the programming initiating the attacks and still have an Apple TV?

  Short answer: it is a false positive.  I don't know exactly what causes it but I would guess Apple's Bonjour protocol, which is why you see something every 30 minutes.  That's just a blind guess, but seems to fit.
  Realize that a report of ARP poisoning wouldn't be likely on a private LAN, unless you got infected somehow.  No known malware like this for iOS devices (and much harder to insert one on AppleTV versus an iPhone or iPad.)  There are legitimate cases where ARP spoofing is used.  And even Cisco has instances where they say to ignore that warning:
  CSCsm25943—The meaning of the following error message on the controller is not clear. This message does not necessarily imply that any actual "ARP poisoning" is occurring. Rather, this message appears when a WLAN is configured for DHCP Required and a client (after associating to this WLAN) transmits an ARP message without first using DHCP. The client is unable to send or receive any data traffic until it performs DHCP through the controller.
  DTL-1-ARP_POISON_DETECTED: STA [00:01:02:0e:54:c4, 0.0.0.0] ARP (op 1) received with
  invalid SPA 192.168.1.152/TPA 192.168.0.206
  Workaround: Perform the following steps:
  • Verify that the client eventually does perform DHCP without undergoing an unacceptable outage. If the outage before performing DHCP is acceptable, then you can ignore this message.
  I'm not saying that Norton's message is the same as Cisco's.  Just that Cisco states that the meaning of why the message appears is not clear and sometimes is acceptable.  And Cisco is the world leader in networking technology so if they don't always know why you get an ARP poisoning warning....
  I won't go into the politics of "Norton bad" or whatever, but based on my experience (bias) with Norton in it's various forms for over 10 years, IMHO you can ignore this.  Hopefully you can configure Norton to selectively ignore this.  If not, you may have to use a different security program.  Me personally, I do not recommend any "security suites" because they cause exactly this kind of additional headache.  Just a "plain" antivirus program.  Windows has a built-in firewall and most people will be using a hardware firewall at the office or home so the firewall in the "security suite" is extraneous.

• Export DNS cache

  After searching around, I've found a ton of posts about clearing DNS Cache, but what I'm actually looking for is a way to export the DNS cache out of bind to some sort of text file. Basically, I'm hoping to build a static dns cache lookup file to use with AWStats, and wanted to see if it was worthwhile using entries from the several DNS servers we having running.

  Hi Alex
  rndc dumpdb should do.
  Regards
  --greg