Temporary workaround for SAD DNS
Ahead of Linux’s patch taking effect, BlueCat Labs has a temporary workaround for protecting against the revived Kaminsky DNS cache poisoning attack.
Recently, researchers identified a new way to carry out the Kaminsky DNS cache poisoning attack. Its name is SAD DNS, short for Side-channel AttackeD DNS.
Linux developers have made a change to block this. But it was only introduced into the kernel on October 16, 2020. It may be a while before the change is adopted across most systems, David Maxwell, BlueCat’s Software Security Director, told BleepingComputer.
For BlueCat customers: The customer care portal contains a KI article (KI-024626) that BlueCat is keeping up to date. BlueCat is continually assessing the risk to you and your BlueCat products and suggested steps to take.
For the rest of the community running public BIND-based DNS servers: There is a viable workaround. Linux’s change, once implemented, will randomize ICMP rate limits to stop an attacker from abusing the static rate value to identify a port number. You can achieve a similar outcome with a small shell script.
BlueCat’s GitHub repository, BlueCat Labs, now contains the script that members of the broader community can use to randomize ICMP rate limits and reduce risk against SAD DNS.
In addition, BlueCat recommends implementing DNSSEC. BlueCat has also noticed some advice on the internet suggesting to block ICMP altogether; BlueCat recommends against this.
Published in:
BlueCat provides core services and solutions that help our customers and their teams deliver change-ready networks. With BlueCat, organizations can build reliable, secure, and agile mission-critical networks that can support transformation initiatives such as cloud adoption and automation. BlueCat’s growing portfolio includes services and solutions for automated and unified DDI management, network security, multicloud management, and network observability and health.
Related content
Stay ahead of network issues with real-time metrics with BlueCat Integrity X
Get real-time DNS, DHCP, and IPAM metrics with BlueCat Integrity X. Detect issues early using native Prometheus telemetry and proactive DDI observability.
Adding business context to DDI with tagging in BlueCat Integrity X
Add business context to DNS, DHCP, and IPAM with tagging in BlueCat Integrity X. Improve visibility, automation, and governance across complex networks.
Security Insights for network security at the edge without complexity
For LiveWire and LiveNX users, analyze flow and packet telemetry for faster threat detection, stronger forensics, and shared visibility.
Network observability maturity stuck? Learn how to pull ahead
In EMA and BlueCat’s new report, learn about the five-stage Network Observability Maturity Model and how your enterprise can move along it.