Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: [Full-disclosure] Microsoft DNS resolver: deliberately sabotaged hosts-file lookup
From: Duncan Simpson <dps () simpson demon co uk>
Date: Tue, 03 Jan 2006 16:35:42 +0000


Nobody has mentioned this, so maybe I should.

It is not difficult to bypass the hosts file on *any* operting system 
whatsoever, by just writing your own resolver. This is easier than you 
think---the standard resolver library has all the machinery you need modulo 
creating the UDP socket. Bind has an even easier library... and an example of 
how to use it (aka dig).

AFAIK winodws update et al are based on http, so a firewall that requiries one 
to use the provided HTTP proxy can block its requests (and lots of instant 
messgaing software). You could even use a transparent proxy so nobody notices 
anything until the proxy denies their request.

You can do all the above with a solution like sonic wall (and presuambly their 
competitors' alternatives), linux+iptables, and presumably similar faciltiies 
on other platforms.

I think the advice is to buy or build a seperate firewall, configure it to 
deny anything not desired, and you should be safe. Rerquiring the use of a 
local proxy or name servers just requires blocking outbound requests to the 
appropriate ports from all other hosts. I suspect bugtraq would *not* 
recommend any seperate firewall based on M$ windows, but would recommend using 
the provided firewalling feattures.

-- 
Duncan (-:
"software industry, the: unique industry where selling substandard goods is
legal and you can charge extra for fixing the problems."



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]