[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <200601031636.QAA01515@simpson.demon.co.uk>
Date: Tue, 03 Jan 2006 16:35:42 +0000
From: Duncan Simpson <dps@...pson.demon.co.uk>
To: Mario Contestabile <marioc@...puter.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: [Full-disclosure] Microsoft DNS resolver: deliberately sabotaged
hosts-file lookup
Nobody has mentioned this, so maybe I should.
It is not difficult to bypass the hosts file on *any* operting system
whatsoever, by just writing your own resolver. This is easier than you
think---the standard resolver library has all the machinery you need modulo
creating the UDP socket. Bind has an even easier library... and an example of
how to use it (aka dig).
AFAIK winodws update et al are based on http, so a firewall that requiries one
to use the provided HTTP proxy can block its requests (and lots of instant
messgaing software). You could even use a transparent proxy so nobody notices
anything until the proxy denies their request.
You can do all the above with a solution like sonic wall (and presuambly their
competitors' alternatives), linux+iptables, and presumably similar faciltiies
on other platforms.
I think the advice is to buy or build a seperate firewall, configure it to
deny anything not desired, and you should be safe. Rerquiring the use of a
local proxy or name servers just requires blocking outbound requests to the
appropriate ports from all other hosts. I suspect bugtraq would *not*
recommend any seperate firewall based on M$ windows, but would recommend using
the provided firewalling feattures.
--
Duncan (-:
"software industry, the: unique industry where selling substandard goods is
legal and you can charge extra for fixing the problems."
Powered by blists - more mailing lists