Forum Discussion

Matt787's avatar
Matt787
Tuning in
9 months ago

Open DNS Resolver Vulnerability

Hi there,

I received an email from internet-security@virginmedia.com yesterday stating that a device connected to my home network had been identified as having a potential Open DNS Resolver (ODNSR) Vulnerability.

Long story short, I think I’ve managed to correctly place a block on port 53 on my TP Link router (double checked using a variety of termux, powershell and terminal commands in Android, Windows and Mac OS plus various ODNSR checker websites).

I’m happy if anyone in the community can answer these questions, however I would appreciate if someone directly from Virgin Media can reach out to me. The email from internet-security@virginmedia.com says I cannot respond directly. After calling Virgin Media support, they simply say they cannot help and direct me back to the email so I’m stuck in a loop.

Here are my questions:

1) My network configuration has fundamentally not changed in approx 5 years and at no point during that time was I ever contacted regarding any potential vulnerabilities. Am I to assume this issue has only just been flagged on Virgin Media’s system? Has something happened within the past day or two (ie a security breach with my network) that has triggered Virgin Media to email me?

2) Since I’ve made the necessary changes on my router, can I get some clarity from Virgin Media confirming that there is no longer an ODNSR vulnerability with my network? If there is, I need to know what more I can do to resolve this and if theres any way I can verify that the fixes have been implemented correctly.

3) Call me being a little presumptuous, but are there any other security vulnerabilities that I need to be aware of? I’m generally very good with my online and networking security so would appreciate if someone could verify if the ODNSR vulnerability was the only flaw that had been flagged at my IP address so I can act upon it.

4) Admittedly I’ve never had to deal with an ODNSR vulnerability before. Would it be advisable for me go through and change all our network and online account/email passwords at this time as a precaution or is it not necessary?

 

Many thanks in advance,

Matt

  • 用心棒's avatar
    用心棒
    Very Insightful Person
    9 months ago
    Matt787 wrote:


    1) My network configuration has fundamentally not changed in approx 5 years and at no point during that time was I ever contacted regarding any potential vulnerabilities. Am I to assume this issue has only just been flagged on Virgin Media’s system? Has something happened within the past day or two (ie a security breach with my network) that has triggered Virgin Media to email me?

    A trusted third-party has reported the issue to Virgin Media, likelt The Shadowserver Foundation in this instance


    2) Since I’ve made the necessary changes on my router, can I get some clarity from Virgin Media confirming that there is no longer an ODNSR vulnerability with my network? If there is, I need to know what more I can do to resolve this and if theres any way I can verify that the fixes have been implemented correctly.

    If the vulnerability persists further notification will be received.

    Should you wish to scan your public IP Address then use the dig command detailed here MEDIUM: DNS Open Resolvers Report | The Shadowserver Foundation


    3) Call me being a little presumptuous, but are there any other security vulnerabilities that I need to be aware of? I’m generally very good with my online and networking security so would appreciate if someone could verify if the ODNSR vulnerability was the only flaw that had been flagged at my IP address so I can act upon it.

    If trusted third-parties found other vulnerabilities you would have received additional notification for those.



    4) Admittedly I’ve never had to deal with an ODNSR vulnerability before. Would it be advisable for me go through and change all our network and online account/email passwords at this time as a precaution or is it not necessary?

    As legacy1 already stated this is an amplification vulnerability, i.e. miscreant directs DNS query at your open resolver and similarly vulnerable IP Addresses with their intended target's IP Address trying to overwhelm it with the DNS answer returned.

    The reported vulnerability does not affect authentication credentials so there is no need to re-secure these.

    -- 
    I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more
    Have I helped? Select Mark as Helpful Answer or 🖒 Kudos to say thanks

  • Matt787's avatar
    Matt787
    Tuning in
    9 months ago

    Thank you both for the clarifications, I really appreciate it.

    I did manage to get through to a VM live chat agent yesterday and they did verify that I had implemented the fix correctly.

    The interesting thing I found was that basically all the website checks I did (like the Think Broadband one legacy1 linked to) all said there were no issues with ODNSR at my IP address prior to blocking port 53 on my router, yet when I tested using various commands (namely dig, telnet, nc, and test-netconnection) they all clearly identified the vulnerability.

    Am I correct in assuming 3rd party site/online checks are not something to be solely relied on for something like this? If I hadnt have double checked using commands, I might have just brushed things off with the vulnerability still being present.