Despite the best efforts of the security community, the details of a critical internet vulnerability discovered by Dan Kaminsky about six months ago have leaked. Hackers are racing to produce exploit code, and network operators who haven’t already patched the hole are scrambling to catch up.
The details of the vulnerability aren’t important, but basically it’s a form of DNS cache poisoning. The DNS system is what translates domain names people understand, like www.schneier.com, to IP addresses computers understand: 126.96.36.199. There is a whole family of vulnerabilities where the DNS system on your computer is fooled into thinking that the IP address for www.badsite.com is really the IP address for www.goodsite.com — there’s no way for you to tell the difference — and that allows the criminals at www.badsite.com to trick you into doing all sorts of things, like giving up your bank account details. Kaminsky discovered a particularly nasty variant of this cache-poisoning attack.
There are several websites where you can test your DNS server to see if it’s vulnerable. If you don’t like that link, just search Google for “DNS cache poisoning test” and you’ll find lots of them.
If the DNS server you use is vulnerable you can switch to a “good” server while your Internet provider makes the necessary fixes.
OpenDNS is a good and I use it. I have the DNS server on my network set to forward all the DNS queries to the OpenDNS servers. They have instructions on their website for all operating systems.