SUMware
Premium
join:2002-05-21
1 edit | reply to NetWatchMan
Re: Exploit code for Kaminsky DNS Bug Goes Wild
said by NetWatchMan  :Please...take the time to understand the implications of this issue...they are profound and represent the most serious and widespread security issue to impact the Internet to date: I would also encourage everyone how can to please take some time to educate others you know about this issue who might be less technically inclined. Thank you for the added emphasis. I've already emailed my contacts, explaining this situation. If ISP servers test vulnerable, a currently viable mitigation is to consider using OpenDNS. |
|
SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Hilo, HI
 ·RoadRunner Cable
| said by SUMware :...consider using OpenDNS. Do you have the DNS IP address that I can put into my router ?
--
I spent most of my money on Women and Beer, and the rest I just wasted ! |
|
Rogue Wolf
Is Kind Of A Big Deal In Yemen
join:2003-08-12
Troy, NY
·RoadRunner Cable
| said by SipSizzurp :Do you have the DNS IP address that I can put into my router ? There's two.
208.67.222.222
208.67.220.220
The site will have a guide on how to change your router's settings to do this, if necessary.
--
Four gods wait on a windowsill,
Where once eight gods did war and will.
And if the gods themselves may die,
What does that say for you and I? |
|
SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Hilo, HI | Thanks ! I know several commercial customers that use Road Runner. These will be handy.
--
I spent most of my money on Women and Beer, and the rest I just wasted ! |
|
Sparrow
Crystal Sky
Premium
join:2002-12-03
Sachakhand
|  reply to SUMware
said by SUMware :said by NetWatchMan :Please...take the time to understand the implications of this issue...they are profound and represent the most serious and widespread security issue to impact the Internet to date: I would also encourage everyone how can to please take some time to educate others you know about this issue who might be less technically inclined. Thank you for the added emphasis. I've already emailed my contacts, explaining this situation. If ISP servers test vulnerable, a currently viable mitigation is to consider using OpenDNS. SUMware and NetWatchMan , thank you very much for the link to OpenDNS and emphasizing the seriousness of this latest exploit.
I will also encourage anyone having not "great" reports at either of the sites listed below to do the same. I have sent numerous e-mails out explaining the configuration is easy enough for the not-so computer savvy and explained they should write down their current router settings in case OpenDNS does not work or they err in configuration.
said by SUMware :To test if your ISP's nameservers are vulnerable to this type of attack visit: »» https:// www.dns-oarc.net/oarc/services/dnsentropy- and - »www.doxpara.com/ (click the button that says "check my DNS") I reset my router to OpenDNS and I went from 3 "Poor"s to 3 "Great"s and currently "safe." My provider is Verizon.
Excellent info in this thread. |
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
 ·Vonage
 ·AT&T Southeast
 ·Cingular Wireless
·AT&T CallVantage
| reply to SUMware
said by SUMware :If ISP servers test vulnerable, a currently viable mitigation is to consider using OpenDNS. Another current alternative, if one does not want to jump through the hoops to set up an account at OpenDNS to get "vanilla" DNS without the filtering and redirecting, is to use the Level3 4.2.2.1, 4.2.2.2, 4.2.2.3, 4.2.2.4, 4.2.2.5, and 4.2.2.6 servers. They also currently pass the www.doxpara.com and www.dns-oarc.net tests.
I currently point to my local Win 2k server first, with fall backs to Level3, then OpenDNS (yes I use OpenDNS, but it was a PITA to setup with a load balancing router).
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
SUMware
Premium
join:2002-05-21
1 edit | said by NetFixer :if one does not want to jump through the hoops to set up an account at OpenDNS It is completely unnecessary to open an account at OpenDNS. I have never had one. Just use their IP addys and follow their instructions without opening an account.
OpenDNS states that creating an account is optional. |
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
·Vonage
·AT&T Southeast
·Cingular Wireless
·AT&T CallVantage
1 edit | said by SUMware :said by NetFixer :if one does not want to jump through the hoops to set up an account at OpenDNS It is completely unnecessary to open an account at OpenDNS. I have never had one. Just use their IP addys and follow their instructions without opening an account. OpenDNS states that creating an account is optional. Unnecessary and/or optional for you perhaps, but I require unfiltered unmodified DNS, and the only way to get that from OpenDNS is to create an account and register your IP addresses. If you do not open an account and register your IP addresses, OpenDNS has no way of knowing who you are to be able to apply your desired settings, and you will get their default filtering and redirection.
This filtering and redirection by my definition is actually poisoned DNS, which is what we are trying to avoid. The difference between the OpenDNS poisoning and poisoning by a malicious third party is intent, and of course the public declaration by OpenDNS that the DNS replies may indeed be modified unless you open an account and setup your own requirements to override their default settings.
Don't misunderstand my post here. OpenDNS is a great service, and many people can benefit from their filtering and redirection, but that same filtering and redirection can wreak havoc if you really need accurate, unfiltered, and unredirected DNS results.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
Rogue Wolf
Is Kind Of A Big Deal In Yemen
join:2003-08-12
Troy, NY
·RoadRunner Cable
1 edit | reply to SUMware
said by SUMware :said by NetFixer :if one does not want to jump through the hoops to set up an account at OpenDNS It is completely unnecessary to open an account at OpenDNS. I have never had one. Just use their IP addys and follow their instructions without opening an account. OpenDNS states that creating an account is optional. I think what NetFixer is getting at is that to get "clean" DNS service (no redirects, etc) you have to sign up for an account. Which is alright with me- I don't have any programs or procedures that require that.
EDIT: Darn you, stop being so fast! 
--
Four gods wait on a windowsill,
Where once eight gods did war and will.
And if the gods themselves may die,
What does that say for you and I? |
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
·Vonage
·AT&T Southeast
·Cingular Wireless
·AT&T CallVantage
| said by Rogue Wolf :EDIT: Darn you, stop being so fast! If that comment is targeted to me, thank you. With my tired old body and stiff arthritic joints (including my fingers), I don't hear something like that very often. It is usually more like "hurry up, what is taking you so long". 
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
SUMware
Premium
join:2002-05-21
| reply to NetFixer
said by NetFixer :I require unfiltered unmodified DNS, and the only way to get that from OpenDNS is to create an account and register your IP addresses. If you do not open an account and register your IP addresses, OpenDNS has no way of knowing who you are to be able to apply your desired settings, and you will get their default filtering and redirection. Understand.
I do not have the same requirements as you. Having no account, and OpenDNS' defaults, works fine for me. |
|
spy1
Welcome to Amerika
Premium
join:2002-06-24
Charlotte, NC
| reply to SUMware
Thanks for the reminder about OpenDNS. I had thought that I was already using it (I was on the router before this upgraded, faster one from my ISP) - but after reading this I checked it just to be on the safe side and sure enough, I wasn't.
Went to both websites mentioned and found out that my ISP's DNS' failed. Re-set up OpenDNS and everything came out great.
Thanks. Pete |
|
