For the second time now a very dangerous DNS flaw has been published by a security firm, before an official presentation on a coming Blackhat Conference. The man who found it Dan Kaminsky could not do much. The info on the site was taken down, but when the cat is out of the bag (they found the search engine cached info): http://blogs.buanzo.com.ar/2008/07/matasano-kaminsky-dns-forgery.html it is difficult to get it back in. So everyone update DNS and watch your kernels,
So, is it really THAT bad? Well, yes. Basically, Dan figured out how to poison ANY DNS servers cache. The end result - people using the DNS server will think they are at Paypal, but are really at evilguy.com.
Hope for the big general patch now to come soon…
The patch consists of randomly generating the source port and couple this to the TXID to minimize the chance to get a correctly spoofed reply.
Another way is to run your own private recursive DNS server without forwarders to make these kind of assaults impossible.
You can protect yourself by setting yourself to OpenDNS.
This can affect you no matter what computer or operating system you’re using, and no matter what ISP you may have.
If you connect to the Internet, you need to have DNS servers. Your computer needs to know how to match an IP address with a domain name.
Me worry ??? NO, I’ve been using and promoting OpenDNS for a long time as you can tell from
the following informative link: http://forum.avast.com/index.php?topic=16849.msg185494#msg185494
Your resolver’s randomness will be rated either GOOD, FAIR, or POOR,
based on the standard deviation of observed source ports.
In order to receive a GOOD rating, the standard deviation must be at least 10,000.
For FAIR it must be at least 3,000. Anything less is POOR.
The best standard deviation you can expect to see from 26 queries is in the 18,000-20,000 range.
If you see a POOR rating, we recommend that you contact your ISP
and ask if they have plans to upgrade their nameserver software
soon. The CERT cite is “VU#800113 Multiple DNS implementations vulnerable to cache poisioning”.
“For those not listening, we can infect a name server in 11 seconds now, which was never true before”,
Thanks very much Pol,I will take your advice, if I get no joy, I will try Bobs Open DNS ( Thanks Bob )
I tried the Doxpara check, and it said,
Your name server, , may be safe, but the NAT/Firewall in front of it appears to be interfering with its port selection policy. The difference between largest port and smallest port was only 129.
I agree with bob3160 and you that DNS is broken(ish) at the moment, and the exploit was already out in the open after Dan Bernstein published about the gigantic flaw Dan Kaminsky found. In IE you can set your browser to use reliable DNS name servers, you can even set the specific url to a specific domain name in your hosftile. OpenDNS can be a good option, never saw a hassle for people that used it.
But again folks, this affair is huge and hanging over us, because the actual exploit code is out on the web (CAU), also for the client side. Getting back to Dan Kaminsky’s and his efforts. He was also able to convince Yahoo to publicly ditch an unpatchable system (BIND 8). Yahoo are the world’s biggest user of BIND 8 so this is a massive undertaking and highlights the seriousness of the issue.
Anyways all our webforum users have been alerted here to this issue, can check or ask their ISP to fully patch or implement a reliable DNS service themselves, you have no excuse anymore to delay…
Well I think there is more to follow, OpenDNS sure is an option, one could also choose to use the Minnesota University DNS servers, anything below the latest Bind 9 is vulnerable, and cannot be used any longer. With the check on Dan Kaminsky’s site, you can get a result like: “Your name server, at A.B.C.D., appears to be safe, but make sure the ports listed below aren’t following an obvious pattern,” e.g. TXID numbers should be randomn without a fixed pattern. The impact of the flaw is being explained here: http://www.kb.cert.org/vuls/id/800113
To the second remark in your posting, I can state that I can see you are an American, because there Pitbull is a sugar free energy drink. You guessed it right, Here the variant that I drink at the moment, see picture below,