A year ago, I gave up on Windows. I was tired of the nervous eggshell feeling with anti-virus software, security patches, and a machine that would mysteriously be slower and slower no matter what I did.
Because of MacOSX Unix roots, I made the switch to MacOSX confident that my personal computer would be safe.
This faith has been severely shaken. I now regard MacOSX as one of the most INSECURE operation systems.
MacOSX has a dangerous default DNS/DHCP configuration. Even worse, this dangerous configuration can not be fixed from the UI. Even the command line fix is difficult. And worst of all Apple is aware of this and does nothing.
There are 5 bits of background you should know:
- DNS is a fundamental part of the internet. DNS is the ‘name resolution’ service that converts ‘mail.google.com’ into the ipaddress: ‘74.125.19.19′ which is what your computer really uses to contact GMail servers so you can read your email. This conversion from the human readable ‘mail.google.com’ to ‘74.125.19.19′ is analogous to the post office converting the postal address on your snail mail envelope to a Zip+4 encoding that is printed at the bottom of the envelope. This encoding is what is actually read by the postal service mail sorting machines to determine where your snail mail goes. Now imagine that the postal service’s encoding machine was compromised. This compromised postal encoding machine was changed so that no matter what the Zip+4 code was supposed to be the machine always encoded the location of Dick Cheney’s house. As a result, all your mail that was processed by that compromised postal service would go first to Dick Cheney. Dick Cheney would get a chance to open all your snail mail, read it, copy it, etc. He could then reseal the original envelope, reencode the envelope with the correct barcode and put the envelope back in the postal service system to be delivered to the correct address. so that no matter what address you had actually printed on your envelope. All this would happen without you being aware of the problem nor able to stop it from happening.
Everything internet related depends on correct translation of ‘apple.com’ or ‘bankofamerica.com’ to the correct IP address, not some third party server. How does the your machine know that it is communicating with apple.com and not some evil server? Your computer relies on the DNS lookup being correct. If the DNS lookup is compromised then when your software update runs to check for the latest security patches it is really installing a virus from evilserver.com not apple.com.
There has been recent concern about DNS spoofing. ( links ). Being the cautious person that I am, I decided to explicitly listed opendns.org’s DNS servers (208.67.222.222 and 208.67.220.220) as the DNS Servers to trust in my Network configuration. I felt pretty cocky and safe.
- The second bit of the puzzle is DHCP. In order to talk to the world, computers need to have their own personal unique ipaddress (it’s very own ZIP+4 code). Every time you go into an internet cafe and pop open your laptop, your laptop uses the DHCP service to figure out what unique ipaddress (192.168.1.101) it should use while you are in that cafe. DHCP is nice because otherwise you would have to manually figure out and set an ipaddress for your computer that is different than everyone else’s laptop. And if someone else picks the same address as you did, all of a sudden your internet connection starts behaving odd. In addition to supplying a ipaddress, the DHCP server also supplies a DNS server that should be used. This is useful when you have your laptop at work and you need to go to an internal website such as http://go/wave Notice there is no ‘.org’, or ‘.com’ after ‘http://go/’ this means that ‘go’ is only visible when you are at work and can access the internal DNS server using the information that the corporate DHCP server supplied to your laptop.
So to summarize DHCP supplies your laptop with the information needed for the world to talk to your laptop ( by assigning an ipaddress to your computer) , and helps you find out about the world (by telling your computer about the corporate DNS server). DNS servers enables your laptop talk to the world by giving your laptop a ‘go-to-machine’ for all its addressing questions.
- Third, DNS servers are usually big expensive computers secured by “smart people”. However, the DHCP server is really just a bit of software running on a Linksys router at your internet cafe. Your internet cafe’s Linksys router probably has the default password and no one ever checks on it. There are millions of this routers, with minimal security, no one checking on them and your laptop is trusting these unsecured routers with the keys to your kingdom. Your laptop is asking this router — “tell me which DNS server to trust?”
- Fourth, Lets say that you are paranoid enough to say ” ohh this is bad. I am not going to trust such a router in a greasy, dark corner with telling my precious laptop which DNS server to trust.” So if you are like me you configure your laptop with an explicit list of DNS servers thinking that your laptop, especially your oh-so-secure Mac would never disobey you about something so critical as DNS.
- Fifth, you would be wrong. The insecure MacOSX does disobey and it does trust that greasy spoon router over you. MacOsX doesn’t let the user (YOU!) say that only certain machines are allowed to be your laptop’s DNS servers! Furthermore even if you have supplied your own custom DNS servers that you trust, the insecure MacOSX trusts the greasy spoon DHCP server’s DNS servers over your trusted DNS servers. And there is NO way to convince MacOSX otherwise.
This means that if the DHCP server at your internet cafe has been compromised you are as well.
How I found out
So here I am feeling all cocky and safe. I type in my company’s web address, ‘amplafi.net’ and amplafi.net resolved to 113.29.236.168 which offered that the website was for sale!… I freaked out!
I discovered my MacOSX laptop was insisting on trusting these EVIL DNS servers 206.13.28.12 206.13.31.12 . Was the 10.5.8 OSX patch that was installed 6 hours ago really what it seemed? Who knows? When I installed updates to Firefox plugins was I really installing the correct versions or a compromised version that would report back to some site in Russia all my bank account information? I have no way of knowing.
This is the really scary part about everything. John Simpson reports:
Under 10.4 and earlier, when I specified a custom nameserver, the system would use only the nameserver(s) I specified. However, under 10.5 Apple has apparently changed that behavior, and uses my specified nameservers in addition to the DNS servers specified by the DHCP server. It shows the DHCP-provided server IP on the list, greyed out, so you can’t delete it.
For a while, I adopted a “grin and bear it” attitude — after all, the DHCP server at home is handing out the IP of my internal Linux server (also running djbdns) as the DNS server, so I was only unsafe when I used the laptop outside the house. However, with the recently announced vulnerability in the DNS protocol, the massive world-wide patch effort by major DNS vendors, and the fact that many networks haven’t applied the patches yet, I don’t really feel safe relying on anybody else’s nameservers.
I tried calling Apple about this, but it turns out that my AppleCare contract doesn’t cover technical support such as this.
My next approach was to just brute-force search the system for anything relating to DHCP. It took a while, but I was able to find the file which needed to be changed, and figure out the necessary changes. Basically, I found a file which controls which options are used by the DHCP client when handling a response from a DHCP server. I removed the DNS-related options from this list, and after rebooting the system, the laptop now ignores the DNS server options being sent by the DHCP server.
The file I found is named IPConfiguration.xml, and it’s buried in this folder: /System/Library/SystemConfiguration/IPConfiguration.bundle/Contents/Resources. You need to create a copy of that file, edit the copy, and remove a few entries in the DHCPRequestedParameterList key. (The entries to remove are those for 6, 15, and 119.) I have added full details on this process to my djbdns setup page, in the section titled Disabling DNS servers from DHCP.
Thankfully I found this web page from 2008(!) that showed how to fix this problem (thanks John M. Simpson):
It is possible to make the DHCP client ignore the “DNS server” options in the DHCP response. It’s not for the faint of heart, but if you’ve been able to handle the rest of the instructions on this page, you can handle this bit as well.
I have done this on my own laptop (a MacBook Pro) and it does work.
Be aware that this is a GLOBAL change. If you do this, your machine will not use the DNS servers specified by any DHCP server. This may affect your machine’s ability to easily work with corporate networks (especially those using Windows Active Directory) or other networks which use private DNS namespaces.
$ sudo -s
Password: You will not see your password as you enter it.
# cd /System/Library/SystemConfiguration/IPConfiguration.bundle/Contents/Resources
# vi IPConfiguration.xml
Find this block...
<key>DHCPRequestedParameterList</key>
<array>
<integer>1</integer>
<integer>3</integer>
<integer>6</integer>
<integer>15</integer>
<integer>119</integer>
<integer>95</integer>
<integer>252</integer>
<integer>44</integer>
<integer>46</integer>
<integer>47</integer>
</array>
Comment out the 6, 15, and 119 entries. The result should look like this:
<key>DHCPRequestedParameterList</key>
<array>
<integer>1</integer>
<integer>3</integer>
<!-- commented out so that Bad DNS servers coming from DHCP servers
are not used.
<integer>6</integer>
<integer>15</integer>
<integer>119</integer>
-->
<integer>95</integer>
<integer>252</integer>
<integer>44</integer>
<integer>46</integer>
<integer>47</integer>
</array>
Save your changes.
Be sure to flush the DNS cache.
On MacOsX:
dscacheutil -flushcache
I have tried John’s suggestion and those scary DNS servers are no longer present. But has my machine been compromised already? I will be visiting the apple store in a few hours asking for answers.
The story continues. I was sitting next to a customer. On her windows box she was picking up the same bad DNS servers. It wasn’t until later when I got home that I discovered all this information. I suspect (but am not completely certain) that windows will not override an explicitly specified DNS server.
Update: So after talking with some people, its pretty clear that MacOsX shares this issue with Windows XP because offering out internal DNS servers is part of what DHCP does. However with Windows XP, it is easy to explicitly lock down the DNS servers.
How to lock down a Windows XP box with safe DNS servers:
On Windows:
To clear Windows DNS cache:
ipconfig /flushdns
