Most Popular

• How to use SSL Certificates with Exchange 2007
• Firefox 3 developer explains "broken" SSL error pages
• SSL Certificate for Mozilla.com Issued Without Validation
• The Top 5 SSL Tools
• SSL Certificate Renewal: Even Google Forgets

Login:

Don’t be a Victim of DNS Security Holes

The details of the new DNS attack discovered by Dan Kaminsky  were recently leaked. If exploited, the Kaminsky DNS vulnerability could lead to serious attacks. Gary at LinuxHarbor.net comments:

Behind all the security technobabble, what this means for you is that if your ISP hasn’t applied the appropriate fixes to the DNS servers they set for you when you go online, then should you type www.paypal.com or www.citibank.com into the address-bar of your browser, you might very well actually end up on a spoof site that looks exactly like the real thing, but which collects your username and password before forwarding your connection to the real site. That’s a serious problem in anyone’s book!

You can check whether the servers you’re calling have been fixed by clicking the Check My DNS button on Dan Kaminsky’s Site. If they come up short, you really should switch to an alternative DNS service. In many respects, using a free provider that specializes in DNS is more likely to also keep you safe from any future security problems than relying on your ISP — who has plenty of other things to maintain in addition to your DNS servers.

OpenDNS provides just such a service at no cost, and even though my ISP passes the Kaminsky test, I’ve already switched my whole network over to the OpenDNS servers by following these straight forward instructions, which boil down to changing all /etc/resolv.conf nameserver lines to:

nameserver 208.67.222.222
nameserver 208.67.220.220

And then flushing any cached addresses on all computers you use for browsing. On Ubuntu, type the following into a terminal:

sudo /etc/init.d/networking restart

And the equivalent for Mac OS X:

sudo lookupd -flushcache

And Windows Vista:

ipconfig /flushdns

Check your DNS Servers now - [DoxPara]

Digg Slashdot del.icio.us Reddit furl

Duane
Posts: 1

Weeeeee
Reply #1 on : Tue August 05, 2008, 17:51:24

---

This bug only really effected bind, and bind has a very long and very notorious history of bugs some as bad or worst then this one.

So the real message here is migrate to a bind alternative, djbdns had already anticipated this bug about 10 years ago.

Both MaraDNS and PowerDNS recursor were also not effected, also some poeple commenting about their switch from bind to PowerDNS they went from 120 servers to only needing 30.

http://ops.ietf.org/lists/namedroppers/namedroppers.2008/msg01209.html

Write a comment

Name:
Email:
Subject:
Comment:

Security Code:
 

Post Comment