Don’t be a Victim of DNS Security Holes

The details of the new DNS attack discovered by Dan Kaminsky  were recently leaked. If exploited, the Kaminsky DNS vulnerability could lead to serious attacks. Gary at LinuxHarbor.net comments:

Behind all the security technobabble, what this means for you is that if your ISP hasn’t applied the appropriate fixes to the DNS servers they set for you when you go online, then should you type www.paypal.com or www.citibank.com into the address-bar of your browser, you might very well actually end up on a spoof site that looks exactly like the real thing, but which collects your username and password before forwarding your connection to the real site. That’s a serious problem in anyone’s book!

You can check whether the servers you’re calling have been fixed by clicking the Check My DNS button on Dan Kaminsky’s Site. If they come up short, you really should switch to an alternative DNS service. In many respects, using a free provider that specializes in DNS is more likely to also keep you safe from any future security problems than relying on your ISP — who has plenty of other things to maintain in addition to your DNS servers.

OpenDNS provides just such a service at no cost, and even though my ISP passes the Kaminsky test, I’ve already switched my whole network over to the OpenDNS servers by following these straight forward instructions, which boil down to changing all /etc/resolv.conf nameserver lines to:

nameserver 208.67.222.222
nameserver 208.67.220.220

And then flushing any cached addresses on all computers you use for browsing. On Ubuntu, type the following into a terminal:

sudo /etc/init.d/networking restart

And the equivalent for Mac OS X:

sudo lookupd -flushcache

And Windows Vista:

ipconfig /flushdns

Check your DNS Servers now - [DoxPara]

Originally posted on Mon Aug 4, 2008