DNS is the Domain Name System that routes traffic over the Internet. As you know, computers know numbers, not letters. So when you type: BankofAmerica.com into a web browser, the DNS server at your office or ISP looks up the IP address of this site, and translates that lookup result into a number. That number then allows that site to appear on your web browser screen. If instead, that translation is hijacked, and you are taken to a site that LOOKS just like BankofAmerica.com, but is actually an attacker’s site that could result in a serious data breach.
It’s important that we can trust the DNS servers to take us the real destination. In information security, this is called: integrity. Integrity in this context means trusting that the page we see is authentic and really is BankofAmerica.com’s site.
Dan Kaminsky, director of penetration testing at security firm IOActive discovered, quite by accident, a fundamental flaw that effects most of the thousands upon thousands of DNS servers used today.
Dan helped coordinate a secret meeting at Microsoft a few months ago that also included Cisco, Sun and other leading IT firms. The attendees agreed to coordinate a large scale, simultaneous release of a fix, or patch, for this flaw, so that site owners could update the DNS servers quickly. That release took place this week. As of this week, no known attacks had occurred using this flaw, and the hope is that systems are patched before the bad guys can create an attack that exploits this flaw.
Here is what you need to ask: Where is your DNS resolved? Or you could ask, “Where is our DNS Server?” Internally on your corporate network? At your ISP? With another firm? Some combination? Is or are your DNS servers patched against this flaw?
Don’t assume that your DNS is up to date just because you are using a Microsoft DNS server, or just because you get your DNS from a large ISP. According the press reports, some DNS servers are so old, they can’t be patched successfully.
Five days have passed since this announcement, and the ATT DNS servers that many millions use for Internet access have still not been patched, according to a tool that Dan Kaminsky wrote. A link to that tool is provided below. I used to check some of ATT’s DNS servers. Are these servers too old to be patched, is ATT waiting “for a problem to occurr” before patching? Are the servers being patched as you read this? It is difficult to determine why at this point, but the fact remains that their users could be victims of one of these attacks.
Once you determine how you get your DNS, you want to get the IP address for that DNS server. A DNS IP address will look something like: 210.12.34.01 . I recommend setting the network settings on your computer to match the DNS server or servers you are using, and then run Dan’s tool to check the results for each server(s).
There is a free DNS service called OpenDNS. You can point your computers, devices, and networks to OpenDNS and use their free service for your DNS. OpenDNS also can filter out porn content, horoscope sites, betting sites and other “not safe for work” sites. OpenDNS claims that their servers were never open to this flaw. When I tested them with Dan’s tool, they pass his test. Here are some OpenDNS servers that you can use without even signing up for the added features: 220.127.116.11 and18.104.22.168 .
How do they do this for free? If you have ever typed in a wrong address on the web, you know you get an error page. Well, when using OpenDNS, that page comes back with a Google Search engine, where a portion of the ad revenue is split with OpenDNS.
Don’t ignore this flaw, as the very nature of if would mean that you might never know if you have been a victim until it is to late.
Here are some helpful links:
1. US-Computer Emergency Response Team, Multiple DNS implementations vulnerable to cache poisoning
2. Dan Kaminsky’s DNS flaw check tool is on upper right corner of this page