Temporary workaround for SAD DNS

Ahead of Linux’s patch taking effect, BlueCat Labs has a temporary workaround for protecting against the revived Kaminsky DNS cache poisoning attack.

Recently, researchers identified a new way to carry out the Kaminsky DNS cache poisoning attack. Its name is SAD DNS, short for Side-channel AttackeD DNS.

Linux developers have made a change to block this. But it was only introduced into the kernel on October 16, 2020. It may be a while before the change is adopted across most systems, David Maxwell, BlueCat’s Software Security Director, told BleepingComputer.

For BlueCat customers: The customer care portal contains a KI article (KI-024626) that BlueCat is keeping up to date. BlueCat is continually assessing the risk to you and your BlueCat products and suggested steps to take.

For the rest of the community running public BIND-based DNS servers: There is a viable workaround. Linux’s change, once implemented, will randomize ICMP rate limits to stop an attacker from abusing the static rate value to identify a port number. You can achieve a similar outcome with a small shell script.

BlueCat’s GitHub repository, BlueCat Labs, now contains the script that members of the broader community can use to randomize ICMP rate limits and reduce risk against SAD DNS.

BlueCat Labs ICMP rate limit script screenshot

In addition, BlueCat recommends implementing DNSSEC. BlueCat has also noticed some advice on the internet suggesting to block ICMP altogether; BlueCat recommends against this.

Heading into the cloud?

See how your network can thrive in the complexity of the cloud.

Find answers to all your cloud-related questions.

Access cloud resources

Read more

NSA and CISA: Protective DNS key to network defense

U.S. cyber agencies now point to protective DNS as a defense strategy, confirming what BlueCat already knew: DNS is critical to detecting network threats.

Read more
BlueCat Integrity 9.3: Deliver DNS like a boss

With the BlueCat Integrity 9.3 release, network admins can get more audit data, manage complexity, and ramp up automation, without compromising performance.

Read more
Yes, you can optimize DNS routing for global SaaS use

Routing DNS for SaaS can lead to latency, non-local results, and messy internet breakouts. With BlueCat, optimize SaaS delivery and gain full DNS control.

Read more
Yes, you can tame hybrid cloud DNS traffic jams

Admins often use messy conditional forwarding DNS rules to fill hybrid cloud gaps. With BlueCat, automate and gain control over your data pathways.

Read more