Search:  

 
theme to black backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   News
newer
story category Multiple Vendors Tackle DNS Design Flaw
Dan Kaminsky's demonstrations prompt industry-wide response
(old news - 08:21AM Wednesday Jul 09 2008)
tags: business · hardware · security · networking
Microsoft, Sun, Cisco and other vendors yesterday released updates that fixed a fundamental design flaw in the Domain Name System (DNS) protocol. That flaw, according to US-CERT, involved DNS poisoning, a trick that allows a hacker to redirect unwitting surfers to alternate addresses. Though DNS poisoning has been around for a while, researcher Dan Kaminsky has been demonstrating the very specific ways in which this design flaw can be used by hackers. His comments in the LA Times:
Click for full size
Kaminsky said he stumbled across the hole in the so-called DNS system for steering people to the websites they are seeking "by complete and total accident." Smaller DNS flaws have been used before to "poison" the servers that send people to the numerical address of the website name they enter. But this failing is at least one order of magnitude bigger, and perhaps several.
The flaw could allow a hacker to "poison" the DNS records of network providers, directing online bankers to alternative scam sites. Kaminsky isn't getting any more specific about the fix, out of fears that hackers will reverse-engineer their way around the design repair.

Related:
  1. Wednesday Evening Links
  2. Comcast/Sandvine Traffic Managment System Evolves
  3. The Exaflood Isn't Coming After All
  4. There's Still Some Life Left In Copper
  5. Broadband Derailed By Fears Of Mutant Garlic
  6. Comcast Deploys Root Server On Comcast Network
  7. Metrocast Offers Fiber To The Home
  8. Hackable Time Warner Cable Modems Still Hackable?
Forums » Multiple Vendors Tackle DNS Design Flaw
view: topics flat text 
Post a:

shopkins

join:2008-05-23
Nepean, ON

Quick Responses - Teksavvy

Proof as to why Teksavvy is a great ISP - we posted in their forum on DSLR yesterday and by midnight they had applied the patches. That is service !
permalink · 2008-07-09 08:30:12 · Reply to this

GOLFnSUN
Enjoy the sun
Premium
join:2002-03-03
Avalon, NJ
·Sprint Mobile Broa..
·Comcast

Re: Quick Responses - Teksavvy

said by shopkins See Profile :

Proof as to why Teksavvy is a great ISP - we posted in their forum on DSLR yesterday and by midnight they had applied the patches. That is service !
Better that the problem was avoided all together like the OpenDNS service did. If you used OpenDNS for your DNS servers you never were exposed at all.

More info on this security issue here in the BBR Security forum: »Internet flaw could let hackers take over the Web
--
My BLOG .. .. Internet News .. .. My Web Page
permalink · 2008-07-09 08:34:22 · Print · Reply to this

shopkins

join:2008-05-23
Nepean, ON
·TekSavvy Solutions..
·Bell Sympatico

Re: Quick Responses - Teksavvy

said by GOLFnSUN See Profile :

Better that the problem was avoided all together like the OpenDNS service did. If you used OpenDNS for your DNS servers you never were exposed at all.

More info on this security issue here in the BBR Security forum: »Internet flaw could let hackers take over the Web
True - apparently the potential exploit of the flaw has been known for a while (recall reading a comment that the DNS system has been known to be broken for a while). OpenDNS is a good solution for someone with some knowledge but I am pretty sure that the big ISP's (Bell, Telus & Rogers in Canada) would not pre-configure their service to use someone else's DNS. And 99% of internet users would never even want to fiddle with those setting... unlike those of us here on DSLR that have a higher comfort level with these changes.

Unsure exactly what TekSavvy did to patch their system but I would guess (since they said that they are not on an MS system) that they upgraded their BIND from v8 to v9. But that is pure speculation because I can honestly say that I do not know what that last sentence implies wrt ease of an upgrade
permalink · 2008-07-09 08:41:53 · Print · Reply to this

sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
·Optimum Online

Re: Quick Responses - Teksavvy

said by shopkins See Profile :

True - apparently the potential exploit of the flaw has been known for a while (recall reading a comment that the DNS system has been known to be broken for a while).
Sometimes the nutjobs are 100% right:

»cr.yp.to/djbdns/forgery-cost.txt
permalink · 2008-07-10 02:11:21 · Reply to this

Rob
In Deo speramus, God Bless the USA
Premium
join:2001-08-25
Kendall, FL
·Comcast

1 edit
said by GOLFnSUN See Profile :

said by shopkins See Profile :

Proof as to why Teksavvy is a great ISP - we posted in their forum on DSLR yesterday and by midnight they had applied the patches. That is service !
Better that the problem was avoided all together like the OpenDNS service did. If you used OpenDNS for your DNS servers you never were exposed at all.

More info on this security issue here in the BBR Security forum: »Internet flaw could let hackers take over the Web
Not to take credit away from OpenDNS, but shopkins is referring to an ISP.

When was the last time you saw an ISP be so proactive and respond so quickly to these type of issues? I know I haven't. It's good to see TekSavvy be so quick to respond and update their systems - high five to them.
permalink · 2008-07-09 08:48:49 · Print · Reply to this

en102
Canadian, eh?

join:2001-01-26
Valencia, CA

Re: Quick Responses - Teksavvy

DSL Extreme has been typically quick to respond.. however, they also did attempt to install Zone finder once.
--
Canada = Hollywood North
permalink · 2008-07-09 11:02:39 · Reply to this

NetAdmin
CCNA

join:2008-05-22
said by GOLFnSUN See Profile :

Better that the problem was avoided all together like the OpenDNS service did.
That's because OpenDNS's systems uses a non-standard, in-house product for their DNS services.
--
---
Over ten plus years of carrying The Clue Bat...
permalink · 2008-07-09 14:41:47 · Reply to this

dvd536
as Mr. Pink as they come
Premium
join:2001-04-27
Phoenix, AZ

Re: Quick Responses - Teksavvy

is there a PoC somewhere you can test your providers servers at?
permalink · 2008-07-09 18:03:45 · Reply to this

NetAdmin
CCNA

join:2008-05-22

Re: Quick Responses - Teksavvy

said by dvd536 See Profile :

is there a PoC somewhere you can test your providers servers at?
There is not one listed in the CERT advisories and I haven't seen anything on NANOG. The CERT advisory does give a list of affected products at the bottom of the notice:

»www.kb.cert.org/vuls/id/800113
--
---
Over ten plus years of carrying The Clue Bat...
permalink · 2008-07-09 18:10:28 · Print · Reply to this

supergirl

join:2007-03-20
Pensacola, FL
·Cox VOIP
·Skype
·Cox HSI
·AT&T Southeast
·magicjack.com
said by shopkins See Profile :

Proof as to why Teksavvy is a great ISP - we posted in their forum on DSLR yesterday and by midnight they had applied the patches. That is service !
They are.

"Gee, when I went to Vatican.org, I wound up at girlsgonewild.com. Weird! Girls didn't do that stuff at my college." -Pope Benedict
--
Saving the world keeps me busy. However, I find Earth very primitive from my home planet of Krypton.
-Supergirl
permalink · 2008-07-09 10:06:30 · Print · Reply to this
ac6bw

join:2003-11-09
San Jose, CA
·AT&T U-Verse

DNS Changes affecting SW Firewalls

Just FYI, if anyone is using Zone Alarm: The DNS changes implemented in the latest Windows update appear to have caused a loss of Internet connectivity through some SW firewalls, such as Zone Alarm. The recommended temporary fix is to manually add the IP addresses of your DNS servers to the firewall. The problem is documented at Zone Lab's website.
permalink · 2008-07-09 11:42:22 · Reply to this
Forums » Multiple Vendors Tackle DNS Design Flaw

Sunday, 08-Nov 16:32:27 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.