Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Security Advisory: DNS Protocol Defect 1

Status
Not open for further replies.

chipperMDW

Programmer
Mar 24, 2002
1,268
US
I haven't yet seen anything in this forum regarding the recently discovered vulnerability in DNS. Considering the scope and nature of this thing, I think a warning is in order.

Dan Kaminsky has discovered a serious flaw in DNS. Cache poisoning is easier than previously believed, and exploits have already been released since the issue became public. Here is a fairly good explanation of the problem; the short-term solution is to have resolvers use randmized source ports. Here are some resources to help test your setup.

In short, patch or upgrade your DNS servers, bother your ISPs to fix the issue on their servers if they haven't already, and bother your NAT device vendors to distribute fixes for your NAT devices (which likely negate any source port randomization you do inside the NAT-ted zone).

I'm amazed this isn't getting the publicity it deserves; many people are vulnerable to this and aren't going to know about it.
 
Thanks for the link, smah. Looks like TimeWarner in my area has applied the patch (ports are random).

Chip H.


____________________________________________________________________
www.chipholland.com
 
Please note that the vulnerability has been known for some time. The only thing new is that some researcher was able to exploit it (quite easily) for the first time, and because it is a vulnerability in the DNS protocol itself, the impact hits everyone.

It didn't take long for someone to use the exploit. AT&T was already hit with an exploit.

If you haven't done so, patch patch patch your DNS servers!
 
There is no updated rpm for RedHat Enterprise 5 ?
Is RedHat preventing people from publishing rpm's for RHE5 ?

If one for whatever reason can not update the BIND, you can work around the problem by using the "forward only;" option in the named.conf file and then having a good forwarder listed (check out OpenDNS). This has the side effect of slowing down lookups a bit (anyone know how to have the forward only option in effect for certain zones?)


 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top