I just read an article about Google publishing a Public DNS service. Google Public DNS is a free, global DNS resolution service. Google recommends using their Public DNS server as an alternative to your current DNS servers.
To try it out:
More information about Google’s Public DNS can be found here.
dig @188.8.131.52 www.booches.nl
; <<>> DiG 9.3.2 <<>> @184.108.40.206 www.booches.nl
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 708
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.booches.nl. IN A
;; ANSWER SECTION:
www.booches.nl. 900 IN A 220.127.116.11
;; Query time: 97 msec
;; SERVER: 18.104.22.168#53(22.214.171.124)
;; WHEN: Fri Dec 04 09:03:26 2009
;; MSG SIZE rcvd: 48
I will be using Google’s DNS service for testing purposes, because I cannot imagine using them as primary DNS. There are a lot of questions, like:
Maybe I will use them as third or fourth DNS forwarders after the DNS servers from my provider.
Today I was asked to block access to multiple websites and the only device capable of doing this was the firewall. This customer is using a Cisco ASA firewall, which supports basic URL filtering. This customers wanted to block HTTP and HTTPS websites. HTTPS websites use a SSL tunnel from the end device to the end server, so the firewall isn’t capable of inspecting the SSL traffic. Instead of using URL inspection, I configured DNS inspection.
The ASA inspects the DNS request from the internal DNS server or end device to the external DNS server. I use regular expressions to match the FQDN of a website. Below is an example configuration of blocking access to the website (and applications using a DNS entry to this website) LogMeIn.com
regex domain_logmein.com “\.logmein\.com”
class-map type regex match-any DomainBlockList
description Blocked Domains
match regex domain_logmein.com
policy-map type inspect dns PM-DNS-inspect
message-length maximum 512
match domain-name regex class DomainBlockList
inspect dns PM-DNS-inspect
service-policy global_policy global
A problem with this approach could be the DNS cache on the internal DNS server. This is domain name is queried before configuring the inspection, the domain will be available until the DNS cache from the DNS server expires. In urgent situation you can maybe clear the DNS cache yourself.
If a DNS reply is matched the ASA generates a syslog message, like shown below.
08-28-2009 15:33:31 Local4.Warning 10.10.1.254 %ASA-4-410003: DNS Classification: Dropped DNS request (id 22251) from inside:DNS-SERVER/59256 to outside:UPSTREAM-DNS/53; matched Class 23: match domain-name regex class DomainBlockList
I guess you already read about it, but if not here a short outcome.
Despite Dan Kaminsky’s efforts to keep a lid on the details of the critical DNS vulnerability he found, someone at the security firm Matasano leaked the information on its blog yesterday, then quickly pulled the post down. But not before others had grabbed the information and reposted it elsewhere, leading Kaminsky to post an urgent 0-day message on his blog reading, “Patch. Today. Now. Yes, stay late.”
Hackers are furiously working on an exploit to attack the vulnerability. HD Moore, creator of the Metasploit tool, says one should be available by the end of the day […]
You can read about this vulnerability on many different blogs, so be careful in the next couple of days when accessing websites, which ask to enter personal information.