Open DNS Resolver

KiKi

securityguy wrote: »

No, it solves the problem, for all practical purposes.

Oh, okay. Thank you.

I like Microtik stuff, but that might be a bit hardcore...

Would a new router fix the issue?

My techie guys at work were flummoxed!! Thanks again for your time.

KiKi

securityguy

KiKi wrote: »

Would a new router fix the issue?

If the problem is that your router is exposing a recursive resolver on the wide-area side, and you can't configure it out (blocking inbound port 53 is sufficient) and there isn't a software update from the router vendor to fix it, then it's an arguable router flaw and if that's enough to make your ISP write you irritating letters, fifty quid for a router would make the problem go away.

However, for all last night's entertainment of speculating about exotic DNS attacks, there are three things to remember:

1. The chances of a successful attack being conducted against you are low, and if you are not stupid enough to either do banking/email/etc without https or merrily click "this certificate is really dodgy, should I proceed and do dangerous stuff anyway" boxes, then the risk of the attack being used to do anything genuinely threatening is even lower.

2. If you reconfigure your clients to use 8.8.8.8 and 8.8.4.4 (Google's anycast public DNS servers), which would probably involve a simple change to the DHCP configuration on your router, then the risk is even lower, arguably zero.

3. All this assumes that your exposed recursive resolver _is_ susceptible to an additional information attack. Which isn't certain.

KiKi

securityguy wrote: »

If the problem is that your router is exposing a recursive resolver on the wide-area side, and you can't configure it out (blocking inbound port 53 is sufficient) and there isn't a software update from the router vendor to fix it, then it's an arguable router flaw and if that's enough to make your ISP write you irritating letters, fifty quid for a router would make the problem go away.

However, for all last night's entertainment of speculating about exotic DNS attacks, there are three things to remember:

1. The chances of a successful attack being conducted against you are low, and if you are not stupid enough to either do banking/email/etc without https or merrily click "this certificate is really dodgy, should I proceed and do dangerous stuff anyway" boxes, then the risk of the attack being used to do anything genuinely threatening is even lower.

I never do that. You're talking to a girl who reads all the T&Cs before she ticks the boxes on any website. I even read credit card agreements in full.

2. If you reconfigure your clients to use 8.8.8.8 and 8.8.4.4 (Google's anycast public DNS servers), which would probably involve a simple change to the DHCP configuration on your router, then the risk is even lower, arguably zero.

I have absolutely no idea what you just said.

3. All this assumes that your exposed recursive resolver _is_ susceptible to an additional information attack. Which isn't certain.

The fact that there seems to be an issue, and the fact that I don't understand enough to resolve it myself causes stress because I can be a bit control freakish. Money to make the problem go away is money well spent to me, so I think I'll get a new router and then I can feel better about it. It's what I go to work for. Plus, the router and its firmware is now over 8 years old.


Thanks again so much for trying to help me. In case you're interested (after all the debate yesterday!), this was the letter: http://my.virginmedia.com/content/dam/virgoBrowse/docs/VMsecurityletter.pdf

And it seems I'm not the only one who received it and thought "what?":
http://community.virginmedia.com/t5/Wireless-Networking/Open-DNS-resolver-Letter/td-p/2182324

Thanks again
KiKi

securityguy

KiKi wrote: »

I have absolutely no idea what you just said.

Your router probably tells devices in your house to use the router to resolve names into IP numbers. If instead it told devices to user external resolvers, such as those offered by Google, then the state of its own resolver would be irrelevant.

Thanks again so much for trying to help me. In case you're interested (after all the debate yesterday!), this was the letter: http://my.virginmedia.com/content/dam/virgoBrowse/docs/VMsecurityletter.pdf

That's interesting: they're worried about amplification attacks.

An amplification attack takes advantage of the fact that when you are asking a question of a resolver, you can put any address in as the source of the query. Normally, obviously, when you ask a question, you want the answer to come back to you! But if you're a bad person, you can send a small question ("what is google's IP number?") which will get a large answer (a long list of Google's various public servers) with the source address set to be your enemy. You send that query to sites that are running open resolvers. That way, you send some number of fifty byte queries, and your enemy receives the same number of five hundred byte responses. So you can perform a denial of service attack which is (a) ten or more times more intense than you can otherwise manage and (b) doesn't appear to come from any machines remotely close to you. I guess Virgin cable connections are fast enough that a machine at the end of one is a useful participant in this.

kwikbreaks

@securityguy

that sounds like some routers can actually run their own DNS server and the code is poor. I suspect that will be the case here because then there is no need for any open ports as the code will be running outside the firewall.

@KiKi

before splashing the cash check if there is a firmware update on the manufacturers website.

Most VM customers are paying over the odds unless they renegotiate terms every year - now is a good time for you to do so.

If you are out of minimum term call VM and tell them you've checked around and found most ISPs give free routers so unless they provide you with their Superhub you'll probably be moving on.

Point out you may well do so anyway as you've found you could save money. TalkTalk and Plusnet are both pretty cheap if they ask who you've looked at - might pay to check their pricing before calling. Don't forget to tell VM that the cashback on offer is good too.

me0000

Sitecom routers are utter rubbish.
Primitive crap fit for the scrapyard.
Don't even get me started on trying to contact support at sitecrap.
Change your router.

KiKi

kwikbreaks wrote: »

@KiKi

before splashing the cash check if there is a firmware update on the manufacturers website.

Most VM customers are paying over the odds unless they renegotiate terms every year - now is a good time for you to do so.

If you are out of minimum term call VM and tell them you've checked around and found most ISPs give free routers so unless they provide you with their Superhub you'll probably be moving on.

Point out you may well do so anyway as you've found you could save money. TalkTalk and Plusnet are both pretty cheap if they ask who you've looked at - might pay to check their pricing before calling. Don't forget to tell VM that the cashback on offer is good too.

Thanks for the info. There's no firmware, but I have asked Sitecom how to block port 53 on this specific router. If I can do that, then great. If not, a new router it is.

I'm not getting into a new contract with anyone as it won't be useful for me to do that just now in my circumstances. I move suppliers / banks / ISAs etc all the time - but I won't move from VM because I am a huge F1 fan, and so have Sky Sports F1. VM are better overall for that than Sky, and I have a damn good deal with them at the moment! But thanks anyway, I appreciate you thinking of different options for me.

me0000 wrote: »

Sitecom routers are utter rubbish.
Primitive crap fit for the scrapyard.
Don't even get me started on trying to contact support at sitecrap.
Change your router.

Projection issues, much?!