[K12OSN] Major DNS security patch
John Lucas
mrjohnlucas at gmail.com
Wed Jul 16 11:15:44 UTC 2008
There is an important patch for DNS servers that mitigates a critical flaw in
the DNS protocol. For the first time there has been a coordinated patch release
from all major vendors across all major platforms to try to avoid massive DNS
spoofing attacks.
I first learned of this from this Slashdot article:
http://it.slashdot.org/article.pl?sid=08/07/08/195225
This came about due to a major new exploit discovered by Dan Kaminsky.
Controversially, he has not made the details of the exploit widely available;
he will be revealing the details at the Blackhat conference in August. His
reason for not revealing the details was to allow some time for the vendors to
release patches and for admins to deploy them. He has been slammed for not
revealing the details. In response he has shown his "goods" to a small number
of security professionals. Paul Vixie (if you don't know who he is, see:
http://en.wikipedia.org/wiki/Paul_Vixie) has probably given the most
authoritative response:
http://www.circleid.com/posts/87143_dns_not_a_guessing_game/
It is extremely important that system administrators deploy these patches and
to try to get your ISP's to do so as well. The effectiveness of the patch also
depends on "randomizing" the source query port of the DNS server. You can test
your patches and configuration from the command line with the following (from
Paul Vixie's blog):
dig porttest.dns-oarc.net in txt
If you need a GUI test, there is one on Dan Kaminsky's blog site:
http://www.doxpara.com/
If you run your own DNS server (like me) it's up to you to upgrade; CentOS has
the patch in their yum repositories.
If you are dependent on your ISP's DNS servers and they don't come up to snuff,
you should consider using the OpenDNS servers instead of the ISP's:
http://www.opendns.com/
I've tested two local ISPs and both have applied the patch but (so far) have
failed to adjust their configuration to use random query ports, so I have begun
using OpenDNS servers on sites not running their own DNS.
This patch is a no-brainer. Do your part to protect this vital part of the
Internet Infrastructure.
--
"History doesn't repeat itself; at best it rhymes."
- Mark Twain
| John Lucas MrJohnLucas at gmail.com |
| St. Thomas, VI 00802 http://mrjohnlucas.googlepages.com/ |
| 18.3°N, 65°W AST (UTC-4) |
More information about the K12OSN
mailing list