ronpin
Imagine Reality
join:2002-12-06
Nirvana | DNS outdated
DNS was cool when speeds were slow and memory expensive. Now we could all run our very own DNS servers on the cheap. Why not?
--
50% of Americans vote - 30% are repugs -- do the math. |
|
TKJunkMail
Enjoy the sun
Premium
join:2002-03-03
Avalon, NJ
 ·Sprint Mobile Broa..
 ·Comcast
2 edits |  Another tool provides info on all DNS servers configured
This test does all the DNS servers in your list of DNS servers configured on your computer:
»entropy.dns-oarc.net/test/
The Kaminsky tool »www.doxpara.com/?p=1176 only does the 1st DNS server in your list.
A couple threads at BBR are following this subject:
»With DNS Flaw Now Public, Attack Code Imminent
»[DNS] Comcast and the DNS Server flaw issue
»Exploit Code for Kaminsky DNS Bug Goes Wild
An example of the test results:
»85e529691fbce9bdf3c3f30f.et.dns-oarc.net/
--
My BLOG .. .. Internet News .. .. My Web Page
Ask yourself one question: 'Do I feel lucky?' Well, do ya punk? |
|
ISurfTooMuch
join:2007-04-23
Tuscaloosa, AL
1 edit | reply to ronpin
Re: DNS outdated
You could, but why would you want to increase the load on authoritative DNS servers out there? Right now, if you type in www.google.com, if you don't have the IP address already cached, your machine queries your ISP's DNS server, which already knows the correct IP address. Google's nameservers only get queried if your ISP doesn't have an IP address cached on their DNS servers. If everyone was running DNS, Google's servers are going to get hammered, since queries won't just be coming from a few thousand ISPs but from a few hundred million users.
Also, as hard as it is to patch DNS servers now, can you imagine if everyone was running DNS? Instead of patching a few thousand machines, you'd have to patch a few hundred million. |
|
ztmike
Mark for moderation
Premium
join:2001-08-02
Michigan City, IN | DNS flaw..
All these "experts" keep putting out that there's security flaws, yet nothing ever happens..
OmGz teh interwebs is going to FaIL!!!1!1 ...
Hasn't happened and until it does, I'll keep yawning.
--
WhY sO SeRiOUs!? |
|
ISurfTooMuch
join:2007-04-23
Tuscaloosa, AL
| And this is the same attitude that keeps many users from cleaning the viruses, worms, and trojans off their machines.
If this exploit turns out to be as easy as it's reported to be, you're going to see it used a lot. The Internet won't fail, but a lot of folks are going to get scammed. If you don't think it will happen, check your spam folder and see all the phishing attempts out there. Right now, if you're a careful user and don't get infected, you can be reasonably safe. If this DNS exploit is used, you won't be able to trust any site you're visiting as being legit. |
|
insomniac84
join:2002-01-03
Schererville, IN | We will see it a lot only because:
step 1 - alter dns records
step 2 - ?????
step 3 - profit |
|
mworks
join:2006-06-13
Faison, NC | Add charter
Add charter to the list of unpatched servers.
Ones in my area, NC are vulnerable . |
|
mworks
join:2006-06-13
Faison, NC
| reply to insomniac84
Re: DNS flaw..
said by insomniac84  :We will see it a lot only because: step 1 - alter dns records step 2 - ????? step 3 - profit Alter a site like bank of america, grab login info for just 5 minutes and walk away with thousands . |
|
Nerdtalker
Working Hard, Or Hardly Working?
Premium,MVM
join:2003-02-18
Tucson, AZ
clubs: | reply to ronpin
Re: DNS outdated
Or you could just use OpenDNS, which, by the way, was secure the whole time.
::shrug:: |
|
ISurfTooMuch
join:2007-04-23
Tuscaloosa, AL
| reply to insomniac84
Re: DNS flaw..
Ah, but I can complete that for you.
step 1 - alter dns records
step 2 - redirect users from legit commerce and banking sites to lookalike phishing sites
step 3 - grab credit card numbers and usernames/passwords
step 4 - shop with stolen cards, sell stolen card numbers, and drain bank accounts
step 5 - profit |
|
Cabal
Premium
join:2007-01-21
Boston, MA
| reply to ztmike
It doesn't happen thanks to a massive, 80+ vendor coordinated patch to DNS services, including every major ISP on the planet. Way to be naive, though.
»With DNS Flaw Now Public, Attack Code Imminent
»Poor NAT design leaves some patched DNS servers vulnerable
»DNS Critical Flaw Explained?
»Internet flaw could let hackers take over the Web
--
Interested in open source engine management for your Subaru? |
|
baineschile1
@comcast.net | reply to ISurfTooMuch
never understood people that shopped online with stolen credit card numbers. if i buy a plasma...dont i have to have it "shipped somewhere"? |
|
ISurfTooMuch
join:2007-04-23
Tuscaloosa, AL
| reply to Cabal
It doesn't happen if the ISPs take heed and patch their DNS servers. If you read the article, you'd see that many have yet to do so.
Issuing warnings is great, but warnings don't fix the problem. Acting on those warnings does, and many ISPs seem to be asleep at the switch. |
|
ISurfTooMuch
join:2007-04-23
Tuscaloosa, AL
| reply to baineschile1
You'd think that would be a deterrant, but people seem to still get away with it. And I'd imagine many stolen card numbers would be printed on counterfeit cards and used overseas. I doubt a shop in Moscow or Shanghai is going to care too much if a card is stolen as long as the transaction is approved. The shop owner is going to sell the goods for a profit, and they can always deny they knew the card was stolen if they're asked about it.
Still, I think the big money would be in selling the numbers. The seller gets their money, and the buyers use the cards until they're canceled. |
|
tmh
@qwest.net | Home routers still vulnerable?
Some (Belkin comes to mind) routers provide a local DNS cache for the LAN side. I'm not aware of any large scale push to get owners to upgrade their router firmware.
Perhaps the same attack can still work? |
|
jlivingood
Premium,VIP
join:2007-10-28
Philadelphia, PA
| Inaccurate re Comcast
Your statement that Comcast has not patched their systems is incorrect. Please see your own forum on this question @ »[DNS] Comcast and the DNS Server flaw issue
JL |
|
cornelius785
join:2006-10-26
Worcester, MA
| reply to ronpin
Re: DNS outdated
well let's see, if the URL is not cached in your dns server, it has to ask for it in another server (not yours). if that server's record is incorrect, well guess what, yours will be incorrect.
i also don't really see the advantage of running your own DNS server for most people. sure it may be faster, but the dns retrieval is nearly nothing compared to the downloading of content and then processing. |
|
morbo
Complete Your Transaction
join:2002-01-22
00000
clubs:
·Charter Pipeline
 ·AT&T Southwest
| reply to baineschile1
Re: DNS flaw..
said by baineschile1 :
never understood people that shopped online with stolen credit card numbers. if i buy a plasma...dont i have to have it "shipped somewhere"?
there's no real enforcement out there for these smallish crimes. local police won't touch it and credit card companies prefer to write it off, as long as it's not too much.
the lawyers and effort would cost them more than it's worth.
sad but true. |
|
Boricua65
join:2002-01-26
Puerto Rico |  reply to Nerdtalker
Re: DNS outdated
Thank you for that. My is now fixed.
--
Yo te digo, el mundo esta jodido |
|
haze_nme
join:2004-01-13
Tucson, AZ | reply to baineschile1
Re: DNS flaw..
You can get away with using stolen card numbers for intangible things like memberships to sites, or for purchasing more domain names/hosts. |
|
