[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[K12OSN] Major DNS security patch



There is an important patch for DNS servers that mitigates a critical flaw in the DNS protocol. For the first time there has been a coordinated patch release from all major vendors across all major platforms to try to avoid massive DNS spoofing attacks.

I first learned of this from this Slashdot article:
	http://it.slashdot.org/article.pl?sid=08/07/08/195225

This came about due to a major new exploit discovered by Dan Kaminsky. Controversially, he has not made the details of the exploit widely available; he will be revealing the details at the Blackhat conference in August. His reason for not revealing the details was to allow some time for the vendors to release patches and for admins to deploy them. He has been slammed for not revealing the details. In response he has shown his "goods" to a small number of security professionals. Paul Vixie (if you don't know who he is, see: http://en.wikipedia.org/wiki/Paul_Vixie) has probably given the most authoritative response:

http://www.circleid.com/posts/87143_dns_not_a_guessing_game/

It is extremely important that system administrators deploy these patches and to try to get your ISP's to do so as well. The effectiveness of the patch also depends on "randomizing" the source query port of the DNS server. You can test your patches and configuration from the command line with the following (from Paul Vixie's blog):

	dig porttest.dns-oarc.net in txt

If you need a GUI test, there is one on Dan Kaminsky's blog site:

	http://www.doxpara.com/

If you run your own DNS server (like me) it's up to you to upgrade; CentOS has the patch in their yum repositories.

If you are dependent on your ISP's DNS servers and they don't come up to snuff, you should consider using the OpenDNS servers instead of the ISP's:

	http://www.opendns.com/

I've tested two local ISPs and both have applied the patch but (so far) have failed to adjust their configuration to use random query ports, so I have begun using OpenDNS servers on sites not running their own DNS.

This patch is a no-brainer. Do your part to protect this vital part of the Internet Infrastructure.

--
        "History doesn't repeat itself; at best it rhymes."
                        - Mark Twain

| John Lucas                MrJohnLucas gmail com               |
| St. Thomas, VI 00802      http://mrjohnlucas.googlepages.com/ |
| 18.3°N, 65°W              AST (UTC-4)                         |


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]