I just had a quick conversation with an IT technician who alluded to the idea that more than Zone Alarm may be broken by the new port randomization behaviors of “patched DNS”. These fundamental changes to the ports allocated for DNS traffic may confuse existing firewalls and other filtering devices that are unaware of the changes to DNS behaviors.

For example, if you have filtering devices that specific port ranges defined for egress or ingress of DNS traffic, especially if you are using a non-stateful device, this configuration may need to be changed to allow for the greater port range applied to the “patched DNS” setup. Systems that are also “DNS aware” might not expect the randomization of the ports that the patching is creating. As such, filtering devices, especially at the perimeter may well need to be reconfigured or upgraded as well to allow for continued operation of unimpeded DNS traffic.

There may be SEVERAL other nuances that become evident in some environments as the patch process for the DNS issue continues to evolve. Stay tuned to stateofsecurity.com and other security venues for information and guidance as it becomes available.

Just added this to Revision 2 of the whitepaper:

Attack Vector Management

Part of mitigating the risk of this security issue is also managing the availability of the attack vector. In this case, it is essential that security teams understand how DNS resolution operates in their environment. DNS resolution must be controlled to the greatest extent possible. That means that all servers and workstations MUST be configured to use a set of known, trusted and approved DNS servers whenever possible. In addition, proper egress filtering should be implemented to prevent external DNS resolution and contact with port 53 on unknown systems. Without control over desktop and server DNS use, the attack vector available for exploitation becomes unmanageably large. Upper management must support the adoption of these controls in order to prevent compromise as this and other DNS vulnerabilities evolve.

Home User and Small Office Vulnerability

Home users and small offices (or enclaves within larger organizations) should pay careful attention to how their DNS resolution takes place. Many home and small business firewall devices such as Linksys, D-Link, Netgear, etc. are likely to be vulnerable to these attacks and are quite UNLIKELY to be patched to current firmware levels. Efforts must be made to educate home and small office users about this issue and to update all of these devices as the patches and upgrades to their firmware becomes available.

Our engineering team has analyzed the available data on this emerging security issue and the fixes identified. As such, we have prepared the following white paper for our clients and readers.

Please review the paper and feel free to distribute it to your management team, co-workers and others who need to be involved in understanding and remediating the problems emerging with DNS.

You can obtain the white paper here.

If your organization needs any assistance in understanding or managing this vulnerability, please do not hesitate to contact us. We would be happy to assist in any way possible.