How to mitigate CERT VU#800113 on OpenBSD

[tekman]

New poisoning attack, out early: VU#800113

If I've helped you set up an OpenBSD router, you are vulnerable.

ssh to your router and edit named.conf:

su - emacs -nw /var/named/etc/named.conf
Modify the options {} block by adding the lines below, which will forward all queries for non-local zones to OpenDNS, who isn't vulnerable to this attack:

Comments

[xyon]

Also, in /etc/dhclient.conf you should add

supersede domain-name-servers 10.0.1.1;

And then force DHCP to reload:

ifconfig (look for the non-local address interface)

pkill -9 dhclient
dhclient

That will cause /etc/resolv.conf to be written to always run DNS queries through the local BIND9 instance rather than only providing that service for downlevel (and it will cause your local machine to now use the forwarders automatically).

Or you can supersede the forwarders address if you prefer.

And you should Create an OpenDNS account, add a network (should default to your current IP) and change its advanced settings (I turned off everything except block suspicious IP), unless you like being sent to a custom search page for NXDOMAIN, or letting them typo-correct your NXDOMAINs.

Before turning it all off:

shamash:~ # ping www.google.com
PING google.navigation.opendns.com (208.67.216.230): 56 data bytes

After turning it all off and waiting a few minutes:

shamash:~ # ping www.google.com
PING www.l.google.com (74.125.19.99): 56 data bytes

[xyon]

Er, dhclient was actually

dhclient ; I fail.

[xyon]

Gah!
dhclient

Stupid <.