Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Operator » Security issue: Operator is an open dns resolver
  •  
Jeeves_

Messages: 22

Karma: 4
Send a private message to this user
In the last week, Spamhaus was attacked by using open dns resolvers. See http://www.nytimes.com/2013/03/27/technology/internet/online -dispute-becomes-internet-snarling-attack.html for more info.

Because of that issue, I was scanning my network, to find out that Kerio Operator is serving as an open dns resolver, which means that it can contribute to these attacks

Please FIX this, ASAP. Operator does not need to answer DNS questions (why does it even run a resolver?)

Offering Kerio and much more. See http://www.tuxis.nl and http://www.kerioindecloud.nl/
  •  
Filip Jenicek (Kerio)

Messages: 1094
Karma: 80
Send a private message to this user
Dear Mark,

by default the Operator's DNS service is open to "Local clients" only. This can be changed in the built-in firewall. Please note that DNS is a part of the "Phone provisioning" services.

Best
Filip
  •  
Jeeves_

Messages: 22

Karma: 4
Send a private message to this user
I beg to differ.

My 'local clients'-ranges only include rfc1918 addresses. I can query operator.tuxis.net from any machine on the internet.

Offering Kerio and much more. See http://www.tuxis.nl and http://www.kerioindecloud.nl/
  •  
Jeeves_

Messages: 22

Karma: 4
Send a private message to this user
This even works if 'Phone provisioning' is disabled.

Offering Kerio and much more. See http://www.tuxis.nl and http://www.kerioindecloud.nl/
  •  
Jeeves_

Messages: 22

Karma: 4
Send a private message to this user
/tmp/pdnsd.conf and iptables -L -n -v confirm that nothing is filtered.

Offering Kerio and much more. See http://www.tuxis.nl and http://www.kerioindecloud.nl/
  •  
Jeeves_

Messages: 22

Karma: 4
Send a private message to this user
Ok, KerioNL just pointed out that you should limit access to Phone Provisioning, even if it's not enabled. That's confusing. And afaik, by default, Phone provisioning isn't filtered.

Offering Kerio and much more. See http://www.tuxis.nl and http://www.kerioindecloud.nl/
  •  
Filip Jenicek (Kerio)

Messages: 1094
Karma: 80
Send a private message to this user
When you uncheck "Phone provisioning" it means that the access is not restricted, thus firewall is off.

By default it is checked, and iptables filter port 53.

Inside Operator:
-sh-4.1# iptables-save |grep 53
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j DROP
-A INPUT -p udp -m udp --dport 53 -j DROP

From my machine:
<~> $ nmap xxx.com
Starting Nmap 6.00 ( http://nmap.org ) at 2013-03-27 10:24 CET
Host is up (0.0038s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp filtered domain
80/tcp open http
161/tcp filtered snmp
199/tcp filtered smux
443/tcp open https
5060/tcp open sip
5061/tcp open sip-tls


If you have a different experience, please send your support info file to fjenicek<_at_>kerio.com. The file can be generated at the bottom of screen "System Health".

Filip
  •  
KerioNL

Messages: 72
Karma: 0
Send a private message to this user
Jeeves_ wrote on Wed, 27 March 2013 09:43
Operator does not need to answer DNS questions (why does it even run a resolver?)


We are wondering about the same. What does phone provisioning do, that it needs a resolver? And can't this handled by the default resolver(s) in the network?
  •  
Filip Jenicek (Kerio)

Messages: 1094
Karma: 80
Send a private message to this user
Default installation of Operator 2.1.0 looks like this:
./fa/2966/0/

The local DNS resolver is provided by the built-in DHCP server to the phones, so that they are able to resolve addresses of LDAP servers, etc. There are scenarios where phones are used in a private VLAN with no Internet access.

I don't see any reason why to block or argue about the DNS resolver. You definitely don't want to allow phone provisioning to be open to the Internet. Mostly due to the fact that the tftp server can serve many sensitive data.

Filip

  •  
Jeeves_

Messages: 22

Karma: 4
Send a private message to this user
Ok, so fortunatly it is filtered by default. Which is great. However, the recursor running is Powerdns, the DHCP-server you're using is dnsmasq (which is capable to answering dns questions). pdns doesn't come with dnsmasq. You guys enabled it. I'd say "Don't start pdns unless phone provisioning is enabled".

Offering Kerio and much more. See http://www.tuxis.nl and http://www.kerioindecloud.nl/
  •  
Filip Jenicek (Kerio)

Messages: 1094
Karma: 80
Send a private message to this user
Not fortunately, it's enabled on purpose. Pdnsd is used as a caching proxy in front of asterisk.
  •  
fishtech

Messages: 617
Karma: 13
Send a private message to this user
Hi,

Just to clarify the above... is the solution to check set Firewall > Phone provisioning to Local clients ? Will this affect remote iPhones using Operator Mobile?

I ask since I just go the following email from my ISP:

A host accessible from the Internet at IP address (my.operator.ip.address)
from your Internet service has been recently used in at least
one distributed denial of service attack (DDOS) against
another organization on the Internet. This letter is intended
to help you resolve this problem and protect your service.

These attacks have been facilitated through DNS amplification
attacks. AT&T has detected these attacks and has confirmed
that the IP address (my.operator.ip.address) allocated to your Internet
access account is accessible from the Internet as an open DNS
resolver. An open DNS resolver allows users on the Internet to
perform DNS requests on your server. At least one malicious
actor has been found to abuse your DNS service to attack other
Internet subscribers. This abuse presents additional load on
your Internet access and your server, which could result in
unreliable service.

An open DNS resolver is considered an insecure configuration
and in the majority of cases, Internet subscribers should not
operate an open DNS resolver. The open DNS resolver may be
present due to a default operating system installation or
system configuration issue. In some cases, we have found
network devices such as home routers have flaws that expose
DNS service to the Internet.

Although we do not believe you have any direct contribution to
the attacks, the fact that others are facilitating attacks
through the service you are hosting constitutes a violation of
the AT&T Acceptable Use Policy. AT&T Network Security is
requesting that you take actions to disable access to this DNS
server from the Internet or to implement suitable controls to
minimize or stop this abuse.

The following site may provide additional helpful information
for configuring your DNS services:
http://www.team-cymru.org/Services/Resolvers/instructions.ht ml

If your environment requires you to run an open DNS server,
please limit access via an ACL, rate limiting, or another
method to assure your server cannot be used effectively in
attacks.

Thank you for your prompt attention to this matter. We welcome
your feedback and questions on this matter. Please contact us
at abuse<_at_>att.net, and we will be happy to help address
questions you may have.


Many thanks,

ft.

[Updated on: Tue, 24 September 2013 20:36]

  •  
Filip Jenicek (Kerio)

Messages: 1094
Karma: 80
Send a private message to this user
Hi fishtech,

the answer is no, it won't affect softphones. For softphones, all you need to enable is Webserver + SIP.

However, thank you for pointing this out as we may have found a more serious issue. Phone provisioning should really be handled with care and never be accessible to the public. One could easily fetch SIP passwords or create new SIP accounts. Open DNS resolver would than be the last thing to care about. We will consider some modifications of the Administration interface to provide more information.

Thanks,
Filip


  •  
fishtech

Messages: 617
Karma: 13
Send a private message to this user
OK, thanks.

Just to confirm in the short-term, will setting Firewall > Phone provisioning > Local clients fix the open dns responder issue?

Thanks,

ft.
  •  
Previous Topic: Call Queue Strategy
Next Topic: Daylight Saving in Operator
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Aug 23 15:36:33 CEST 2017

Total time taken to generate the page: 0.00591 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.