Google recently launched a public DNS service similar to the popular service over at OpenDNS, you can find it on Googlecode here – http://code.google.com/speed/public-dns/.

The first obvious reaction for the infosec crowd (with all the recent DNS flaws), is to question the security of the Google DNS service.

HD Moore has done some good analysis on the service as outlined below.

Yesterday, Google launched its new Public DNS service. Among the benefits that Google is claiming for the new service is that it helps to secure DNS for users. Is that an accurate claim?

One of the big issues that security researcher Dan Kaminsky disclosed about DNS insecurity in 2008 was that DNS request information isn’t quite as random as it should be. The way DNS works is that each DNS request is supposed to carry with it a random number transaction ID. But it turns out that the random number is only one out of 65,000. DNS is at risk when there isn’t enough randomization and a hacker can ‘guess’ the number.

So is Google’s Public DNS random enough? I got a comment from famed security researcher, H D Moore on that point. Moore knows what he’s talking about when it comes to DNS exploits as his Metasploit tool was among the first to have a weaponized version of the Kaminsky DNS flaw.

It seems like the port allocation of the Google DNS system is adequately random even though it’s drawing from a fairly small port range.

So the claims this could be a more secure DNS server for most systems are true, it will protect against DNS cache poisoning attacks at least.

Moore has now put together a mapping of Google’s source port distribution on the Public DNS service. In his view, it looks like the source ports are sufficiently random, even though they are limited to a small range of ports.

According to HD, it looks like Google’s focus on security might be on the right track and the DNS could be good at preventing cache poisoning attacks.

His sample size is only 10,000 requests here, which isn’t a huge number but does give a decent sample in my view. He has also graphed source ports, transaction IDS and a comparison of source ports to those transaction IDs.

I’ll switch over from OpenDNS and give the Google system a try, maybe it’ll reduce the lag time a little.

If anyone else is already using it, do share with us your thoughts in the comment section below.

Source: Internet News (Thanks Navin)

An interesting happening this week, some ISP’s have been jacking the DNS entries for certain IRC networks to crack down on zombie/bot infections.

Is it ethical? Should they be doing this to their users?

I first got wind of this from a post on Full Disclosure mailing list from an IRC network administrator.

You can read that e-mail here:

Major ISPs arbitrarily blocking IRC and hijacking DNS entries

Internet service provider Cox Communications is reportedly diverting attempts to reach certain online chat channels and redirecting them to a server that attempts to remove spyware from the computer. By doing so the company seems to be attempting to cleanse computers of malware that hijacks the computers resources to send spam and participate in online service attacks as part of a large network of compromised computers known as a botnet.

Specifically, Cox’s DNS server is responding to a domain name request for an Internet Relay Chat server. Instead of responding with the correct IP address for the server, Cox sends the IP address of its own IRC server (70.168.70.4). That server then sends commands to the computer that attempt to remove malware.

They seem to run some kind of script when the user connects to try and ‘clean’ the machine from infection….even if it’s not infected.

IRC is still used heavily, I don’t really use it much anymore apart from Freenode. The Darknet channel used to be on DALnet back in the day.

Freenode is pretty happening for open source projects though.

Though clever, the tactic is being heavily debated by networking experts on the NANOG mailing list, some of whom question the effectiveness of the technique and who question whether blocking access to the channels for all users (by breaking the DNS protocol) in order to stop some malware is the appropriate solution. Cox does not seem to be blocking all IRC channels, but anyone trying to reach those channels using Cox’s DNS servers will be unable to reach them.

IRC channels are heavily used by programmers, non-traditional communities and black-hat hackers, among others. The malware-infected zombie computers Cox is attempting to clean can also be controlled remotely by having them connect to an IRC channel where they get instructions from their controller.

Interesting stuff eh?

I’m not really sure where I stand ethically on this…what about you?

Source: Wired Blog

AccessDiver is a security tester for WEB sites. It incorporates a set of powerful features which help you find and organize failures and weaknesses from your web site.

AccessDiver can detect security failures on your web pages. It has multiple efficient tools which will verify the robustness of your accounts and directories accurately. So, you will know if your customers, your users and yourself can safely use your web site.

Here is a quick list of the features available:

• Contains fast security that uses up to 100 bots to do its analysis.
• Detects directory failures by comparing hundreds of known problems to your site.
• AccessDiver is fully proxy compliant and has a proxy analyzer (speed / anonymity) and a proxy hunter built-in.
• A built-in word leecher helps you increase the size of your dictionaries to expand and reinforce your analysis.
• A powerful task automizer manages your jobs transparently. You can tackle unlrelated tasks while Accessdiver is working, saving you time.
• An on-the-fly word manipulator lets you increase the strength of your dictionaries easily when doing your analyzis.
• A PING tester is included to tell you the efficiency of your site and the efficiency of an Internet address you would like to access.
• A DNS resolver lets you look up the host name of an IP address and reverse the process to learn an unknown host name.
• A feature called ‘HTTP debugger’ helps your understanding of how actual HTTP protocol works. It opens up the process so you see what really happens during a connection problem.
• A WHOIS gadget lets you retrieve owner information of a domain name (in case you would like to buy the domain or contact the actual owner).
• An update notifier automatically tells you when a new version of AccessDiver is available.

You can find out more here and download AccessDiver here:

AccessDiver

TXDNS 2.0.0 has been released.

TXDNS is a Win32 aggressive multithreaded DNS digger. Capable of placing, on the wire, thousands of DNS queries per minute. TXDNS main goal is to expose a domain namespace trough a number of techniques:

• Typos
• TLD rotation
• Dictionary attack
• Brute force

This new version features a distributed model which further boosts TXDNS’s parallelism and performance. This model allows a TXDNS client to send jobs to a TXDNS server over a clear or encrypted TCP channel.

For example, to put a TXDNS host on listening mode:

> txdns -l

By default TXDNS listens on port 5353. On the client side you may postany query jobs by appending ‘-c xx.xx.xx.xx’ to the regular query syntax (where xx.xx.xx.xx is the host’s IP running TXDNS on listening mode), for example:

   > txdns foo.com -rt -t -c xx.xx.xx.xx

Using -cr instead of -c will force the TXDNS server to redirect all output to the client, so basically you get the results from the server’s job right on the client console. Note that file system streams are not redirected, which means that any file switches (-f or -h) will still have the remote host as root reference.

To encrypt all the traffic between the client and the server just append ‘–key ‘ to the regular syntax on both the client and server.

A new –countdown option has been added as a very basic synchronization mechanism, and by default, any jobs, no matter remote or local will now delay for 5s before firing. If you want to bypass this countdown delay you’ll have to add ‘–countdown 0′.

You can read more and download at:

http://www.txdns.net

China are moving further away from the rest of the world when it comes to the Internet, taking control, making sure information doesn’t get out and making sure other people don’t have access to anything behind the Great Firewall of China.

China’s Ministry of Information Industry (MII) has made adjustment to China’s Internet domain name system in accordance with Article 6 of China Internet Domain Names Regulations.

After the adjustment, “.MIL” will be added under the top-level domain (TLD) name of “CN”.

A new Internet domain name system will take effect as of March 1 in China.

A pretty extensive system.

There’ll be 34 domain names for the organizations of China’s provinces, autonomous regions, municipalities directly under central government, and special administrative regions. They are mainly composed of the first letters of the Romanized spelling of the names of the regions, for example Beijing’s domain name is “BJ” and Shanghai’s is “SH”.

Source: People’s Daily Online