Multiple Vendors Tackle DNS Design Flaw Dan Kaminsky's demonstrations prompt industry-wide response Microsoft, Sun, Cisco and other vendors yesterday released updates that fixed a fundamental design flaw in the Domain Name System (DNS) protocol. That flaw, according to US-CERT, involved DNS poisoning, a trick that allows a hacker to redirect unwitting surfers to alternate addresses. Though DNS poisoning has been around for a while, researcher Dan Kaminsky has been demonstrating the very specific ways in which this design flaw can be used by hackers. His comments in the LA Times: Kaminsky said he stumbled across the hole in the so-called DNS system for steering people to the websites they are seeking "by complete and total accident." Smaller DNS flaws have been used before to "poison" the servers that send people to the numerical address of the website name they enter. But this failing is at least one order of magnitude bigger, and perhaps several. The flaw could allow a hacker to "poison" the DNS records of network providers, directing online bankers to alternative scam sites. Kaminsky isn't getting any more specific about the fix, out of fears that hackers will reverse-engineer their way around the design repair.
|
 | | Quick Responses - Teksavvy Proof as to why Teksavvy is a great ISP - we posted in their forum on DSLR yesterday and by midnight they had applied the patches. That is service ! | |
|  |  Romney2012Defeat Obama 2012-Chg we can believe inPremium
join:2002-03-03
USA
kudos:4 | Re: Quick Responses - Teksavvy said by shopkins:Proof as to why Teksavvy is a great ISP - we posted in their forum on DSLR yesterday and by midnight they had applied the patches. That is service ! Better that the problem was avoided all together like the OpenDNS service did. If you used OpenDNS for your DNS servers you never were exposed at all.
More info on this security issue here in the BBR Security forum: »Internet flaw could let hackers take over the Web
--
My BLOG .. .. Internet News .. .. My Web Page | |
| | | Reviews:
 ·TekSavvy DSL
| Re: Quick Responses - Teksavvy True - apparently the potential exploit of the flaw has been known for a while (recall reading a comment that the DNS system has been known to be broken for a while). OpenDNS is a good solution for someone with some knowledge but I am pretty sure that the big ISP's (Bell, Telus & Rogers in Canada) would not pre-configure their service to use someone else's DNS. And 99% of internet users would never even want to fiddle with those setting... unlike those of us here on DSLR that have a higher comfort level with these changes.
Unsure exactly what TekSavvy did to patch their system but I would guess (since they said that they are not on an MS system) that they upgraded their BIND from v8 to v9. But that is pure speculation because I can honestly say that I do not know what that last sentence implies wrt ease of an upgrade  | |
| | | |  sporkmedrop the crantini and move it, sisterPremium,MVM
join:2000-07-01
Morristown, NJ
 ·Optimum Online
| Re: Quick Responses - Teksavvy said by shopkins:True - apparently the potential exploit of the flaw has been known for a while (recall reading a comment that the DNS system has been known to be broken for a while). Sometimes the nutjobs are 100% right:
»cr.yp.to/djbdns/forgery-cost.txt | |
|
| |  RobIn Deo speramus, God Bless the USAPremium
join:2001-08-25
Kendall, FL
kudos:2
1 edit | said by Romney2012:said by shopkins:Proof as to why Teksavvy is a great ISP - we posted in their forum on DSLR yesterday and by midnight they had applied the patches. That is service ! Better that the problem was avoided all together like the OpenDNS service did. If you used OpenDNS for your DNS servers you never were exposed at all. More info on this security issue here in the BBR Security forum: » Internet flaw could let hackers take over the Web Not to take credit away from OpenDNS, but shopkins is referring to an ISP.
When was the last time you saw an ISP be so proactive and respond so quickly to these type of issues? I know I haven't. It's good to see TekSavvy be so quick to respond and update their systems - high five to them. | |
| | | |  en102Canadian, eh?
join:2001-01-26
Valencia, CA | Re: Quick Responses - Teksavvy DSL Extreme has been typically quick to respond.. however, they also did attempt to install Zone finder once.
--
Canada = Hollywood North | |
|
| | | | said by Romney2012:Better that the problem was avoided all together like the OpenDNS service did. That's because OpenDNS's systems uses a non-standard, in-house product for their DNS services.
--
---
Over ten plus years of carrying The Clue Bat... | |
| | | |  dvd536as Mr. Pink as they comePremium
join:2001-04-27
Phoenix, AZ
kudos:4 | Re: Quick Responses - Teksavvy is there a PoC somewhere you can test your providers servers at? | |
| | | | | | | Re: Quick Responses - Teksavvy said by dvd536:is there a PoC somewhere you can test your providers servers at? There is not one listed in the CERT advisories and I haven't seen anything on NANOG. The CERT advisory does give a list of affected products at the bottom of the notice:
»www.kb.cert.org/vuls/id/800113
--
---
Over ten plus years of carrying The Clue Bat... | |
|
| | | said by shopkins:Proof as to why Teksavvy is a great ISP - we posted in their forum on DSLR yesterday and by midnight they had applied the patches. That is service ! They are.
"Gee, when I went to Vatican.org, I wound up at girlsgonewild.com. Weird! Girls didn't do that stuff at my college." -Pope Benedict
--
Saving the world keeps me busy. However, I find Earth very primitive from my home planet of Krypton.
-Supergirl | |
|
ac6bw
join:2003-11-09
San Jose, CA | DNS Changes affecting SW Firewalls Just FYI, if anyone is using Zone Alarm: The DNS changes implemented in the latest Windows update appear to have caused a loss of Internet connectivity through some SW firewalls, such as Zone Alarm. The recommended temporary fix is to manually add the IP addresses of your DNS servers to the firewall. The problem is documented at Zone Lab's website. | |
|
| |
|
|
