DNS Insecurity

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,113
Location
California
Several DA users have noticed a functional bug in how BIND implements DNS.

This is NOT a bug in DirectAdmin. It's a bug in how DNS operates.

There are at least 114 DNS-related RFC documents, and for any one person to understand all of them would be asking a lot. You can see links to all the DNS-related RFCs here.

According to working DNS standards, the only way to delegate a DNS zone to a server should be through NS records beginning at the root zones. And for second-level domains (example.com, for example) that works as it should.

The problem occurs when you create a subdomain. A true subdomain should have it's own zone. And according to RFCs, the proper way to delegate authority to subzones is to place NS records into the parent zone, pointing to the name server that should have authority for the sub zone.

And this is secure, as even if I (for example) create a zone "orders.microsoft.com" I can't use it because since Microsoft hasn't delegated the authority to me by listing my nameservers in their parent zone file, no one on the Internet can find my zone and my domain.

But there's a major functional bug in BIND that allows me to create a seemingly valid domain "orders.microsoft.com" under certain circumstances.

This bug exists in BIND9 (as installed in implementations of BIND used on DirectAdmin), and perhaps in all other versions of BIND as well.

Simply put, if both the parent zone and the subzone exist on the same server, and the parent zone is authoritative, then the subzone will be authoritative too, even though, there's no delegation in the zone.

This was brought to my attention several days ago by Rob of Matrixx hosting, who saw the problem on his DA server and asked me if I recognized it as a DA bug.

Since then, he, and I, and Onno of Resolve-It, have been studying the issue. Onno and I are also working on a script we'll be freely distributing that you can run regularly through cron to warn yourself of subdomains on your server.

The danger can best be summed up by Paul Cowper who posted this morning:
I was logged into DirectAdmin today as I do everyday. But I noticed a user had added a new domain. Only thing is that this domain was a subdomain of my own.

I also tried to replicate this by adding a subdomain and DirectAdmin had no problem adding this into the DNS.

This is not a DirectAdmin problem; it is a BIND problem.

As long as this problem exists any of your users who know of the problem will be able to create a subdomain of any domain they know to be on your server, whether or not they own the right to the domain.

They'll also be able to purchase an SSL Certificate for any subdomain from either GeoTrust (FreeSSL) or Comodo, because neither have proper safeguards in place to prevent the SSL Certificate purchase.

We're working on several ways to help your security until this bug is fixed by isc.org, the authors of BIND.

Within a day we should have a script available which you can run against your named.conf file to check for subdomains against domains which exist on your server.

We'll also be offering limited time free DNS hosting for DNS for your own site, in a more secure environment (remember, no shared DNS hosting environment is completely secure); hopefully this will help you until BIND is patched to eliminate the bug.

We'll also be testing other DNS servers besides BIND to see if they have the same problem.

Jeff
 
Back
Top