OK, so the news is out. Someone has figured out what it is that Dan Kaminsky discovered in DNS that has so many people concerned. Now that we know what the problem is that means that the bad guys know. If the bad guys know it's only a matter of hours (quiet possibly by now) before a exploit is released into the wild. That is bad news.
Even if you have patched your servers it could be bad news for you. Why? Because your DNS server relies on other DNS servers to tell it where web sites are. If your DNS server get bad information from a compromised DNS server it's game over. What are the chances that your DNS server will communicate with a unpatched, vulnerable DNS server? My guess is that the chances are pretty good. If you look at my little poll (which is a very small sampling of my readers and extremely small sampling of those who manage DNS servers worldwide) 42% have not patched their servers yet because they are still testing the patch. This number hopefully is smaller by now since they have had time to complete testing.
What has me worried is all of those who manage DNS servers and don't follow blogs, tech news sites and other forms of communication that would get the word to them. How are they going to know to patch their servers? I've not seen anything in the main stream media talking about this. Vendors don't have a good way of communicating with customers when problems such as this arise, especially those who download free software that doesn't require registration.
There is a lot of speculation around the release of the details of the issue. Should Halvar Flake have posted his speculations on his blog? Should the blogger at Matasano have posted his reply (which was promptly removed from the site)? People are arguing about whether or not Halvar was right or wrong in what he did. Others are complaining because Dan didn't release more details to the public. There is a place for all of this bickering and speculation but now is not the time. Now is the time to ensure that everyone patches their DNS servers and that we get the work out so that everyone knows that this needs to be done.
So get on the phone, compose emails, use Twitter or any way you can to make sure that all of your friends and contacts who manage DNS servers know about this. Call you ISP and ask them if they have patched yet and if they haven't then consider using a DNS server that you know has been patched. You can use Open DNS or another ISPs DNS servers that you know have been patched. Those of you who manage DNS servers may want to consider clamping down on who you allow your DNS servers to communicate with. This is a standard good practice any way but now you may want to be even more careful.
I'm not crying "the sky is falling" and I'm not trying to spread FUD (fear, uncertainity and doubt) but this has potential to be bad. It is something that needs to be taken seriously and dealt with. When you get this many people who are respected in the industry all saying the same thing then it needs to be heeded. When you get this many vendors working together to release a patch simultanously then we need to apply the patch.
Security's Everyman
Tuesday, July 22, 2008
DNS Problem
Posted by Andy, ITGuy at 5:47 AM
Labels: Andy ITGuy, DNS vulnerability, information security
DNS Problem
2008-07-22T05:47:00-04:00
Andy, ITGuy
Andy ITGuy|DNS vulnerability|information security|