23 Mar
Posted by i.nconspicuo.us as Tech/Web
In working with many online merchants that accept credit card payments online, it has come to my attention that GoDaddy DNS servers are not PCI compliant, and they also fail PCI compliance tests on several different levels. The GoDaddy DNS servers failed the DNS Amplification Denial of Service test as conducted by TrustKeeper. I’ve included the specifics of the test results and failure message below.
The DNS server answers all queries, providing additional delegation information to arbitrary IP addresses. It is possible to send a query for the root zone (.) to the DNS server, and get an answer that is much larger than the query (often more than 20 times in size). An attacker could spoof the source IP address of the query, causing the DNS server to respond to the source IP with the larger answer. An attacker could focus these answers on a single target, resulting in a Denial of Service for that IP. Additionally, the amplification attack represents a risk to the DNS server in the form of Denial of Service. The server would have reduced ability to respond to legitimate DNS queries due to consumed system resources and and higher network traffic levels. Verification of this must be done from an host that is not on the network/intranet of the DNS server. Command to verify from a UNIX based system: ‘dig -t NS . @IP.OF.DNS.SERVER’ or ‘host -v -t NS . IP.OF.DNS.SERVER’. On Windows, run ‘nslookup -type=NS . IP.OF.DNS.SERVER’. If the response received includes answer and additional sections that lists a number of hosts (often on ‘root-servers.net’), then the system is vulnerable. The SANS Internet Storm Center has also provided an online tool to verify this issue (see the link to sans.org in the references).
Note: Vulnerabilities which result only in denial of service do not affect PCI compliance; however, they may still be critical to your systems.
Service: -
CVE: CVE-2006-0988, CVE-2006-0987
NVD: CVE-2006-0988, CVE-2006-0987
Reference: http://www.isotf.org/news/DNS-Amplification-Attacks.pdf
Reference: http://isc.sans.org/dnstest.html
Reference: http://isc.sans.org/diary.html?storyid=5713
Reference: http://www.nabble.com/ISC-BIND-Amplification-Attacktd21670165.html
Reference: http://zytrax.com/books/dns/ch7/
6 Responses
DP
March 24th, 2009 at 8:47 am
1My understanding was that ASVs could not fail clients on DOS since technically you can’t test DOS. Your opinion?
Lawrence Pingree
April 3rd, 2009 at 2:54 pm
2I’m concerned as to why you are disclosing this as it seems questionable ethically. Have you reported this to Godaddy and given them time to try and fix this issue. If not, you are not practicing appropriate ethical disclosure.
i.nconspicuo.us
April 3rd, 2009 at 7:23 pm
3Yes Lawrence, I’ve contacted GoDaddy and they have said that they have no plans to change the way their DNS servers currently work.
Teresa
April 14th, 2009 at 2:47 pm
4I have found AT&T Yahoo ISP’s DNS servers to be non-compliant, as well. And they too have refused to change their DNS servers for “just one customer”. Can you recommend an ISP provider with PCI Compliant DNS servers? Thanks.
i.nconspicuo.us
April 15th, 2009 at 5:56 pm
5Hi Teresa -
We just tried moving our domains to namecheap.com (they offer free DNS) and they were non-compliant as well, but they seem to be willing to work with us on getting the issue resolved. I’ll definitely keep you all posted.
Teresa
April 24th, 2009 at 1:35 pm
6The vulnerability scans for PCI Compliance were stating that my DNS server had a problem of allowing third-party recursive queries and thus they failed the scan. I have done more digging and discovered it was actually my DSL Modem/Router that was allowing third-party recursive look-ups and NOT AT&T’s DNS servers. I have resolved the problem with my router, passed the vulnerability scan and am now PCI Compliant. And I am still using AT&T’s DSL service with their DNS. So AT&T’s DNS is compliant.
RSS feed for comments on this post · TrackBack URI
Leave a reply
Subscribe
Pages
i.nconspicuo.us friends
Meta
Buy From Amazon
Sponsored Posts
Categories
Archives
Recent Entries
Recent Comments
Most Commented