Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Open DNS Resolver Vulnerability

Matt787
Tuning in

3 weeks ago

Hi there,

I received an email from internet-security@virginmedia.com yesterday stating that a device connected to my home network had been identified as having a potential Open DNS Resolver (ODNSR) Vulnerability.

Long story short, I think I’ve managed to correctly place a block on port 53 on my TP Link router (double checked using a variety of termux, powershell and terminal commands in Android, Windows and Mac OS plus various ODNSR checker websites).

I’m happy if anyone in the community can answer these questions, however I would appreciate if someone directly from Virgin Media can reach out to me. The email from internet-security@virginmedia.com says I cannot respond directly. After calling Virgin Media support, they simply say they cannot help and direct me back to the email so I’m stuck in a loop.

Here are my questions:

1) My network configuration has fundamentally not changed in approx 5 years and at no point during that time was I ever contacted regarding any potential vulnerabilities. Am I to assume this issue has only just been flagged on Virgin Media’s system? Has something happened within the past day or two (ie a security breach with my network) that has triggered Virgin Media to email me?

2) Since I’ve made the necessary changes on my router, can I get some clarity from Virgin Media confirming that there is no longer an ODNSR vulnerability with my network? If there is, I need to know what more I can do to resolve this and if theres any way I can verify that the fixes have been implemented correctly.

3) Call me being a little presumptuous, but are there any other security vulnerabilities that I need to be aware of? I’m generally very good with my online and networking security so would appreciate if someone could verify if the ODNSR vulnerability was the only flaw that had been flagged at my IP address so I can act upon it.

4) Admittedly I’ve never had to deal with an ODNSR vulnerability before. Would it be advisable for me go through and change all our network and online account/email passwords at this time as a precaution or is it not necessary?

 

Many thanks in advance,

Matt

0 Kudos
3 REPLIES 3

legacy1
Alessandro Volta

3 weeks ago - last edited 3 weeks ago

The vulnerability is likely amplification for doing DDoS so not that bad

check here

https://www.thinkbroadband.com/tools/open-dns-resolver-check

---------------------------------------------------------------

BQM, Test for outgoing ports and SSL/L2TP VPN test

用心棒
Very Insightful Person
Very Insightful Person

3 weeks ago - last edited 3 weeks ago

@Matt787 wrote:


1) My network configuration has fundamentally not changed in approx 5 years and at no point during that time was I ever contacted regarding any potential vulnerabilities. Am I to assume this issue has only just been flagged on Virgin Media’s system? Has something happened within the past day or two (ie a security breach with my network) that has triggered Virgin Media to email me?

A trusted third-party has reported the issue to Virgin Media, likelt The Shadowserver Foundation in this instance


2) Since I’ve made the necessary changes on my router, can I get some clarity from Virgin Media confirming that there is no longer an ODNSR vulnerability with my network? If there is, I need to know what more I can do to resolve this and if theres any way I can verify that the fixes have been implemented correctly.

If the vulnerability persists further notification will be received.

Should you wish to scan your public IP Address then use the dig command detailed here MEDIUM: DNS Open Resolvers Report | The Shadowserver Foundation


3) Call me being a little presumptuous, but are there any other security vulnerabilities that I need to be aware of? I’m generally very good with my online and networking security so would appreciate if someone could verify if the ODNSR vulnerability was the only flaw that had been flagged at my IP address so I can act upon it.

If trusted third-parties found other vulnerabilities you would have received additional notification for those.



4) Admittedly I’ve never had to deal with an ODNSR vulnerability before. Would it be advisable for me go through and change all our network and online account/email passwords at this time as a precaution or is it not necessary?

As legacy1 already stated this is an amplification vulnerability, i.e. miscreant directs DNS query at your open resolver and similarly vulnerable IP Addresses with their intended target's IP Address trying to overwhelm it with the DNS answer returned.

The reported vulnerability does not affect authentication credentials so there is no need to re-secure these.

-- 
I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more
Have I helped? Select Mark as Helpful Answer or 🖒 Kudos to say thanks

Matt787
Tuning in

2 weeks ago

Thank you both for the clarifications, I really appreciate it.

I did manage to get through to a VM live chat agent yesterday and they did verify that I had implemented the fix correctly.

The interesting thing I found was that basically all the website checks I did (like the Think Broadband one legacy1 linked to) all said there were no issues with ODNSR at my IP address prior to blocking port 53 on my router, yet when I tested using various commands (namely dig, telnet, nc, and test-netconnection) they all clearly identified the vulnerability.

Am I correct in assuming 3rd party site/online checks are not something to be solely relied on for something like this? If I hadnt have double checked using commands, I might have just brushed things off with the vulnerability still being present.

0 Kudos
Top