|
I posted a thread a couple weeks ago about a DNS security hole which received no response from domainers. Perhaps I should have explained that it totally disables your ability to earn revenue from affiliates and parking programs, if effected. Oh, and it doesn't need your consent nor trip any alarms of any kind and rendors your firewalls, usernames and passwords completely useless, not to mention it doesn't need your ISP, hosting server or domain company's permission to do what it wants with your domain. From the article: This past week at Black Hat 2008, Kaminsky finally revealed the actual details of the bug he discovered. The design flaw makes it a great deal easier to poison a name server’s cache, voiding any trust in query results from that name server. In order to understand the magnitude of the bug, we need to be familiar with how a DNS query works, so lets’ start there...... In my example, I’m controlling when my ISP’s name server is sending out a DNS query. If my query for 11.techrepublic.com didn’t work, all I have to do is try 12.techrepublic.com and go through the same process until I get a collision. I’ll know when that happens, as I’ll get DNS information for 11 or 12.techrepublic.com from my ISP. There are several concepts in play here that make this cache poisoning attack vector extremely onerous, they are: - Since the DNS query response was “in bailiwick”, my ISP’s name server thinks the IP addresses that I gave it are authoritative for the whole techrepublic.com domain.
- I can set the TTL of the FQDN/IP address information to an extremely large amount; it’s a 32-bit number. That way the false DNS information will not expire.
- I can now setup phishing web sites that will not trip any alarms or phishing filters.
- This design flaw is present in every recursive name server.
Full Article >> For those that still don't understand: DNS is the core of how domain names resolve to IPs on the internet. For instance, every time you point a domain using nameservers, that is dependent on DNS technology. What this vulnerability does is allow a malicious user to resolve your domain name to any webserver, parking page, etc that he/she wants.
It doesn't seem to be anything that should cause a wide spread panic right now unless a bunch of websites start doing weird things. However, I'm just completely amazed at this vulnerability as we all had complete trust in the way DNS works.
More details here:
An Illustrated Guide to the Kaminsky DNS Vulnerability (excellent read)
New exploit poisons patched DNS servers, claims researcher
ISACA Says Major DNS Flaw Affecting Email Comes as No Surprise
Apple Security Patch Flubs DNS Fix More Reading:
Seems to be something we can do for now:
Seems to be a service called "OpenDNS" is what people are switching to for now. I'm not sure how it works but worth looking into. However, there is one downside:
Quote:
Note that OpenDNS is able to provide its services for free because it changes how your browser behaves when you enter a non-existent URL, say for asdfjklasjxznn.com. If you enter that URL using your normal DNS servers, you'll get a standard "page not found" error message. If you load that URL using OpenDNS, however, you'll see the image at right (click the image for a larger version). The ads you see there are what help OpenDNS pay for its services. If the prospect of seeing such ads when you enter a bad URL concerns you, then you'll want to pass on this solution. For me, though, it's a small price to pay for an excellent free service.
More Ways to Protect Yourself From Phishing
OpenDNS Offers DNS Vulnerability Protection
OpenDNS Wildly Popular After Kaminsky Flaw Disclosure
Smaller ISPs at risk to DNS flaw
Quote:
Telstra, Optus, Internode and iiNet have confirmed to Computerworld their DNSs are patched, however, sources reveal many DNS admins have yet to fix the flaw, despite being notified by security researchers, and nagged by concerned ISPs and Web masters.
Patch domain name servers now, says DNS inventor
Quote:
Paul Mockapetris, inventor of the Internet's Domain Name System architecture, has some advice for those in any doubt about the seriousness of a weakness in the DNS protocol that was disclosed yesterday: Patch your DNS servers right now.
The vulnerability and the attack it enables are among the most dangerous to have been discovered in the DNS protocol so far, Mockapetris said in an interview with Computerworld Wednesday morning.
"It's absolutely critical for IT managers to upgrade their software. They want to make very sure that the caching servers on their perimeters are up to snuff," Mockapetris said. In addition, they need to also ensure that client devices such as DSL modems that might have DNS software embedded in them are properly patched. "The time to fix is now. The clock is ticking," before exploits against the flaw become widely available, he said.
Is Your Domain Parking Service Vulnerable to DNS Cache Poisoning?
Quote:
Many domainers don’t own web sites, but they certainly have their domains parked on other people’s name servers. Are you vulnerable? Internet Assigned Numbers Authority (IANA) has a new tool available to find out.
I tested the nameservers for many of the parking companies and found they are safe: Parked.com , Sedo , and Dotzup .
Microsoft warns: get your DNS flaw fix now
Quote:
Microsoft is not currently aware of active attacks utilizing this exploit code or of customer impact at this time. However, attacks are likely imminent due to the publicly posted proof of concept and Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary. Microsoft’s investigation of this exploit code has verified that it does not affect Microsoft customers who have installed the updates detailed in Microsoft Security Bulletin MS08-037.
A cheatsheet for defending against the DNS flaw
Quote:
The only omission in their instructions is the need to make this change for every type of network connection. On a laptop computer, for example, you would need to modify both the network connection for wired Ethernet and also the Wi-Fi network connection. If you use dial-up, that too, needs to be modified.
  More Related Posts Older Posts |
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
I mean we can't stop it but at least we can prevent it any way ??