DNS Cache Poisoning Vulnerability

There’s a very bad security flaw in some DNS servers that allows cache poisoning. Bruce Schneier says the details of an attack discovered six months ago have now leaked.

Despite the best efforts of the security community, the details of a critical internet vulnerability discovered by Dan Kaminsky about six months ago have leaked. Hackers are racing to produce exploit code, and network operators who haven’t already patched the hole are scrambling to catch up.

The details of the vulnerability aren’t important, but basically it’s a form of DNS cache poisoning. The DNS system is what translates domain names people understand, like www.schneier.com, to IP addresses computers understand: 204.11.246.1. There is a whole family of vulnerabilities where the DNS system on your computer is fooled into thinking that the IP address for www.badsite.com is really the IP address for www.goodsite.com — there’s no way for you to tell the difference — and that allows the criminals at www.badsite.com to trick you into doing all sorts of things, like giving up your bank account details. Kaminsky discovered a particularly nasty variant of this cache-poisoning attack.

There are several websites where you can test your DNS server to see if it’s vulnerable. If you don’t like that link, just search Google for “DNS cache poisoning test” and you’ll find lots of them.

If the DNS server you use is vulnerable you can switch to a “good” server while your Internet provider makes the necessary fixes.

OpenDNS is a good and I use it.  I have the DNS server on my network set to forward all the DNS queries to the OpenDNS servers.  They have instructions on their website for all operating systems.

This entry was posted in Recommendation, Teh Interwebz. Bookmark the permalink.

0 Responses to DNS Cache Poisoning Vulnerability

  1. sevesteen says:

    I started using OpenDNS because it was easier than getting my ISP to even investigate a problem with their DNS. Their network troubleshooting is basically “Disconnect your router unless you rent it from us, install Windows, then if the problem is still there argue with us for at least an hour before we even look”.

  2. Hi,this Ipad is really a great ,I like the great ability and the price,hope I can have one,Lee