Temporary workaround for SAD DNS
Ahead of Linux’s patch taking effect, BlueCat Labs has a temporary workaround for protecting against the revived Kaminsky DNS cache poisoning attack.
November 13, 2020
Recently, researchers identified a new way to carry out the Kaminsky DNS cache poisoning attack. Its name is SAD DNS, short for Side-channel AttackeD DNS.
Linux developers have made a change to block this. But it was only introduced into the kernel on October 16, 2020. It may be a while before the change is adopted across most systems, David Maxwell, BlueCat’s Software Security Director, told BleepingComputer.
For BlueCat customers: The customer care portal contains a KI article (KI-024626) that BlueCat is keeping up to date. BlueCat is continually assessing the risk to you and your BlueCat products and suggested steps to take.
For the rest of the community running public BIND-based DNS servers: There is a viable workaround. Linux’s change, once implemented, will randomize ICMP rate limits to stop an attacker from abusing the static rate value to identify a port number. You can achieve a similar outcome with a small shell script.
BlueCat’s GitHub repository, BlueCat Labs, now contains the script that members of the broader community can use to randomize ICMP rate limits and reduce risk against SAD DNS.
In addition, BlueCat recommends implementing DNSSEC. BlueCat has also noticed some advice on the internet suggesting to block ICMP altogether; BlueCat recommends against this.
Published in:
BlueCat is the Adaptive DNS company. The company’s mission is to help organizations deliver reliable and secure network access from any location and any network environment. To do this, BlueCat re-imagined DNS. The result – Adaptive DNS – is a dynamic, open, secure, scalable, and automated DDI management platform that supports the most challenging digital transformation initiatives, like adoption of hybrid cloud and rapid application development.
Related content
Get fast, resilient, and flexible DDI management with Integrity 9.6
With Integrity 9.6, network admins can get support for new DNS record types, architect and configure multi-primary DNS, and automate IP assignments.
Deepen your security insight with Infrastructure Assurance 8.3
BlueCat Infrastructure Assurance 8.3, with an enhanced analytics dashboard, including interactive widgets and top 10 alerts, is now available.
Security, automation, cloud integration keys to DDI solution success
Only 40% of enterprises believe they are fully successful with their DDI solution. Learn how to find greater success with new research from EMA and BlueCat.
Our commitment to Micetro customers and product investment
From CEO Stephen Devito, a word on BlueCat’s ongoing commitment to supporting Micetro customers and Micetro’s evolution as a network management tool.
Seven reasons to rethink firewall monitoring and boost automation
With BlueCat Infrastructure Assurance, you can better protect your network with automated alerts and suggested remedies for hidden issues in your firewalls.
Five ways to avert issues with BlueCat Infrastructure Assurance
By flagging and notifying you of hidden issues before they cause damage, you can go from reactive to proactive in your Integrity DDI environment.