DNS Patch

[philbot500]

Just started a new contract.

I have just managed to persuade them that they need to patch for the Kaminsky DNS problem. They turned around and said "Okay, you do it. It's on your shoulders."

I'm a bit worried!

It's a 2k3 domain with Exchange, DC, DNS, DHCP ctc on 6 boxes.

I'm kind of thinking that if I apply this patch (MS08-037) it might try and use ports that other services are listening on. This would cause a problem.

Am I right in thinking that if DNS doesn't get an answer on UDP it will try again on TCP? If so are TCP ports randomised in this patch?

The only way out thet I can see is to limit the ports that are randomised.

If I tell it to only choose between 256 ports to randomise I should still have the 16 bit txID plus the 8 bits from the port randonistation. Is that enough?

Please help.

What have you done?

Philbot500.

[Tenzer]

All the following is from what I know from the top of my head, but I believe that it is correct ;)

TCP is only used in DNS regards, if the amount of data which needs transfer is too much to be in a single UDP package. TCP is also used for zone transfers.

People performing DNS queries towards your server will always contact it on port 53, regardless of TCP/UDP. The randomization of ports is only relevant when the DNS server is queried about a domain name it doesn't hold any information for, and then needs to do a recursive lookup to another DNS server.

The patch will make the port used for replies to your DNS server random, instead of using a sequential number which is easily to find out for a hacker.

I hope this may help you in any way.

[VaKo]

Build a lab and test there first. Once your happy with what your seeing setup a way of rolling back the production servers and apply the test to one of the DNS servers. Monitor it. If nothing evil shows up, roll out the patch on more servers. Repeat until they're all kosher.