Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

DNS Spoofing Vulnerability Protection

SmartDefense provides Check Point customers with preemptive protection

The latest DNS cache poisoning technique, announced by CERT on July 8, 2008, exploits DNS requests that do not randomize source ports (CVE-2008-1447).  DNS cache poisoning is the first step in an attack sequence that spoofs a legitimate website to infect a user’s computer with malicious code or steal a user’s private credentials. DNS Spoofing attacks can redirect traffic from legitimate destinations to malicious sites, resulting in pharming exploits, malware infection and other serious network and data security breaches. 

Check Point announced on July 9 that SmartDefense preemptive DNS protections have been available since May 2004. As a large number of organizations are still not protected from this vulnerability, we strongly encourage our customers to take the necessary steps to protect their network infrastructure.

Vulnerability Details

The spoofing vulnerability has been reported in major DNS implementations, including Microsoft Windows DNS service and Berkeley Internet Name Domain (BIND).  DNS Spoofing allows an attacker to change a DNS entry so it points to an IP of his/her own choice.  This vulnerability is due to the lack of enough entropy when performing DNS queries, which allows remote attackers to spoof DNS responses. Successful exploitation could allow the attacker to insert arbitrary malicious addresses into the DNS cache that leads to direction of Internet to an address of his/her choice.

Protection Overview

This attack can be mitigated by randomizing the DNS source port and transaction ID of DNS queries.  Check Point VPN-1 Power, VPN-1 UTM, VPN-1 Power VSX and Connectra defend users from the attack by using SmartDefense DNS query scrambling protection.

SmartDefense will protect the corporate DNS servers by scrambling the source port and query ID number of each DNS query, making it significantly harder to spoof such requests.  Additional protections include dropping inbound queries related to zones that are not associated with the organization’s domain, and alerting when the number of mismatched DNS responses exceeds a certain threshold.  No update is required to address this vulnerability, but you need to follow the directions below.

Protection Details

SmartDefense provides several protections against DNS poisoning:

  1. Scrambling (randomization) of both source port and transaction IDs. This type of protection has been discussed in detail. NOTE: this protection works whether or not NAT of any kind is enabled.

    To activate the protection: within the SmartDashboard SmartDefense Tab, click Application Intelligence > DNS > Cache Poisoning > Scrambling; in the configuration pane, ensure that mode is set to “Active”.

  2. Drop inbound queries related to zones that are not associated with the organization's domain. This action alone blocks many poisoning attacks, as the key for all these attacks is to urge a resolver within the organization to generate a query and then to send it a "poisoned" response. Often this is done by asking to resolve a certain domain for which the resolver is not authoritative.

    There are other ways to cause a DNS resolver to send queries, for example sending an email to one of the organization's employees, with a link to a certain domain. The employee's computer will urge the organization's resolver to generate a DNS query, which can then be poisoned by an attacker who constantly sends poisoned replies for the above domain.

    This protection is very valuable and makes the attacker's task much more complicated.

    To activate the protection:

    The protection requires that a DNS server object is created and that the authoritative domains for this server are defined. Once defined, and the protection enabled, the gateway will allow queries from external interfaces only to the server's authoritative domains. There are no restrictions on queries coming from internal interfaces. Here is a step-by-step description.

    1. Define a host object for the DNS server and enter its address

    2. Click on Configure Servers and check the DNS Server option

    3. In the DNS server properties, add objects representing the authoritative zones for this server.

      The relevant network objects that may be added to the authorization domains list are domain objects and network objects that represent a network or a host.

      Domain objects are used to match regular DNS questions.
      (created via Network Objects->New->Others->Domain):

      The domain object will apply to any DNS request for a domain that hierarchically belongs to the defined domain.

      For instance, defining example.com as a domain object, will apply to requests for www.example.com, ns.example.com, internal.example.com, but not to a request for www.example.com.org

      The other network objects are used to match reverse lookup questions. When adding a network object with IP address a.b.c.d to the authorization list, the domain that will be matched is d.c.b.a.in-addr.arpa. Note that only networks with a netmask of 8, 16, 24 or 32 can be used in the DNS Server authorization list.

      Network representing the reverse lookup zone:

      DNS Server with the authorization domains list configured:

    4. In SmartDefense, activate the protection under:

      Application Intelligence > DNS > Scrambling > Drop Inbound Requests

      Click customize, and enable the protection for the previously created DNS server object.

  3. Alert when the number of mismatched DNS replies exceeds a certain threshold. While not preventing the attack, this defense provides indication that an attack is taking place. There is no reason for a large number of replies with mismatching transaction IDs to be encountered, and therefore such an alert is not likely to be a false alarm. In addition, most attacks involve sending many different transaction IDs in order to match the original requests, and therefore are likely to trigger this alert. This protection alerts whenever a DNS poisoning attack is detected, and has an excellent (very low) false positive / false negative rate.

    To activate the protection: within the SmartDashboard SmartDefense Tab, click Application Intelligence > DNS > Cache Poisoning > Mismatched Replies; In the configuration pane, ensure that mode is set to “Active”.

Install the policy associated with the above protections on all relevant gateways.