[K12OSN] Major DNS security patch

John Lucas mrjohnlucas at gmail.com
Wed Jul 16 11:15:44 UTC 2008 

There is an important patch for DNS servers that mitigates a critical flaw in 
the DNS protocol. For the first time there has been a coordinated patch release 
from all major vendors across all major platforms to try to avoid massive DNS 
spoofing attacks.

I first learned of this from this Slashdot article:
	http://it.slashdot.org/article.pl?sid=08/07/08/195225

This came about due to a major new exploit discovered by Dan Kaminsky. 
Controversially, he has not made the details of the exploit widely available; 
he will be revealing the details at the Blackhat conference in August. His 
reason for not revealing the details was to allow some time for the vendors to 
release patches and for admins to deploy them. He has been slammed for not 
revealing the details. In response he has shown his "goods" to a small number 
of security professionals. Paul Vixie (if you don't know who he is, see: 
http://en.wikipedia.org/wiki/Paul_Vixie) has probably given the most 
authoritative response:

http://www.circleid.com/posts/87143_dns_not_a_guessing_game/

It is extremely important that system administrators deploy these patches and 
to try to get your ISP's to do so as well. The effectiveness of the patch also 
depends on "randomizing" the source query port of the DNS server. You can test 
your patches and configuration from the command line with the following (from 
Paul Vixie's blog):

	dig porttest.dns-oarc.net in txt

If you need a GUI test, there is one on Dan Kaminsky's blog site:

	http://www.doxpara.com/

If you run your own DNS server (like me) it's up to you to upgrade; CentOS has 
the patch in their yum repositories.

If you are dependent on your ISP's DNS servers and they don't come up to snuff, 
you should consider using the OpenDNS servers instead of the ISP's:

	http://www.opendns.com/

I've tested two local ISPs and both have applied the patch but (so far) have 
failed to adjust their configuration to use random query ports, so I have begun 
using OpenDNS servers on sites not running their own DNS.

This patch is a no-brainer. Do your part to protect this vital part of the 
Internet Infrastructure.

-- 
         "History doesn't repeat itself; at best it rhymes."
                         - Mark Twain

| John Lucas                MrJohnLucas at gmail.com               |
| St. Thomas, VI 00802      http://mrjohnlucas.googlepages.com/ |
| 18.3°N, 65°W              AST (UTC-4)                         |

More information about the K12OSN mailing list