chipperMDW
Programmer
I haven't yet seen anything in this forum regarding the recently discovered vulnerability in DNS. Considering the scope and nature of this thing, I think a warning is in order.
Dan Kaminsky has discovered a serious flaw in DNS. Cache poisoning is easier than previously believed, and exploits have already been released since the issue became public. Here is a fairly good explanation of the problem; the short-term solution is to have resolvers use randmized source ports. Here are some resources to help test your setup.
In short, patch or upgrade your DNS servers, bother your ISPs to fix the issue on their servers if they haven't already, and bother your NAT device vendors to distribute fixes for your NAT devices (which likely negate any source port randomization you do inside the NAT-ted zone).
I'm amazed this isn't getting the publicity it deserves; many people are vulnerable to this and aren't going to know about it.
Dan Kaminsky has discovered a serious flaw in DNS. Cache poisoning is easier than previously believed, and exploits have already been released since the issue became public. Here is a fairly good explanation of the problem; the short-term solution is to have resolvers use randmized source ports. Here are some resources to help test your setup.
In short, patch or upgrade your DNS servers, bother your ISPs to fix the issue on their servers if they haven't already, and bother your NAT device vendors to distribute fixes for your NAT devices (which likely negate any source port randomization you do inside the NAT-ted zone).
I'm amazed this isn't getting the publicity it deserves; many people are vulnerable to this and aren't going to know about it.