FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- DNS cache poisoning

Affected packages
6.3 <= FreeBSD < 6.3_3
7.0 <= FreeBSD < 7.0_3

Details

VuXML ID 655ee1ec-511b-11dd-80ba-000bcdf0a03b
Discovery 2008-07-08
Entry 2008-07-13
Modified 2016-08-09

Problem Description:

The BIND DNS implementation does not randomize the UDP source port when doing remote queries, and the query id alone does not provide adequate randomization.

Impact:

The lack of source port randomization reduces the amount of data the attacker needs to guess in order to successfully execute a DNS cache poisoning attack. This allows the attacker to influence or control the results of DNS queries being returned to users from target systems.

Workaround:

Limiting the group of machines that can do recursive queries on the DNS server will make it more difficult, but not impossible, for this vulnerability to be exploited.

To limit the machines able to perform recursive queries, add an ACL in named.conf and limit recursion like the following:

acl example-acl {
   192.0.2.0/24;
};
options {
	recursion yes;
	allow-recursion { example-acl; };
};

References

CERT/CC Vulnerability Note 800113
CVE Name CVE-2008-1447
FreeBSD Advisory SA-08:06.bind