Fixing the DNS security hole with OpenDNS

by billso on Friday, 25 July 2008

News is trick­ling into the main­stream media about the DNS secu­rity hole that Dan Kamin­sky found a while back. It’s a prob­lem that has existed for years in the DNS soft­ware used on almost every major com­put­ing plat­form. With a triv­ial amount of CPU power, a cracker can redi­rect a web browser from a legit­i­mate domain name to what­ever server they wish. In some ways, it resem­bles a pharm­ing attack. Details on how to per­form the attack were made avail­able this week, and there’s a brief descrip­tion in a Reg­is­ter arti­cle called Exploit code for Kamin­sky DNS bug goes wild.

The Domain Name Sys­tem matches alphanu­meric URLs like billso.com to their cor­re­spond­ing numeric IP address. If DNS is bro­ken, the Inter­net is more or less broken.

Patches for these sys­tems were released after 8 July 2008, when Kamin­sky announced that the bug did indeed exist. Many server admin­is­tra­tors haven’t installed the new DNS soft­ware yet.

Accord­ing to another Reg­is­ter arti­cle called Worlds biggest ISPs drag their feet on crit­i­cal DNS patch, the fol­low­ing providers haven’t per­formed the patch on their ISP networks:

I tested Hawai­ian Telcom’s DSL net­work last night: they failed, too.

I haven’t heard whether Com­cast has fixed their DNS servers, but based on the New York Times arti­cle called GCom­plain­ing Blog­gers Hava a Cable Company’s Ear, I’d think Com­cast would respond quickly to blogged com­plaints about their DNS service.

HPU’s DNS servers on the wired and WiFi net­works passed the test this morn­ing when I checked them, and I’ve received con­fir­ma­tion that they patched their servers ear­lier this week. That’s good news, since HPU’s pri­mary ISP is Oceanic Time Warner.

You can fix the DNS hole yourself

ISPs must offer cer­tain ser­vices as part of an Inter­net con­nec­tion. DNS is one of these ser­vices. Many ISPs run their own DNS servers, which con­nect to larger servers on the back­bone. Cor­po­ra­tions usu­ally have their own DNS servers inside their net­work, to help users con­nect to inter­nal resources like print­ers, servers, and net­work shares.

But res­i­den­tial users don’t HAVE to use their ISP’s DNS in most cases. If you have your own router at home, or you just plug your com­puter into a cable modem or a nearby WiFi net­work, you can use Dan Kaminsky’s tool to see if your DNS server is vul­ner­a­ble. Use the Check Your DNS but­ton in the upper-right cor­ner of his blog pages at doxpara.com

For those of you on a school or company’s net­work, please check with your IT or net­work staff before chang­ing your DNS settings.

OpenDNS logo

If your ISP or WiFi net­work is using a vul­ner­a­ble DNS server, you can use a free sys­tem called OpenDNS that is prob­a­bly faster and safer that what you’re already using. It takes about 5 min­utes to change your computer’s or your router’s domain name set­tings to use the OpenDNS servers.

Make sure you have admin­is­tra­tive rights on your com­puter or router. Read the OpenDNS tuto­r­ial and make the appro­pri­ate choices. Be sure to reboot or restart your com­puter after con­firm­ing the changes. You may find that your Inter­net con­nec­tion seems faster. That’s a nice ben­e­fit of OpenDNS for many users.

OpenDNS also screens out phish­ing sites, and lets users block or restrict access to entire cat­e­gories of sites and spe­cific URLs.

Chris Pir­illo of Lock­ergnome has been rant­ing about the hole for sev­eral days now, but he’s got a point. Read his arti­cle called Is Your DNS Server Safe? for his thoughts.

Updated 29 July 2008 1930 HT: Here’s an arti­cle from John Markoff of the New York Times With Secu­rity at Risk, a Push to Patch the Web . Kamin­sky esti­mates that 41% of all DNS servers still need the patch. With Kaminsky’s pre­sen­ta­tion com­ing up next week at the Black Hat con­fer­ence, the clock is tick­ing. This arti­cle by Robert West­er­velt of Secu­rity News called DNS flaw han­dling leaves Kamin­sky pleased has some good quotes from Kamin­sky about the scope of the DNS hole.

Related posts and pages on billso.com

Share

Tagged as: DNS, HPU, Linux, mac, network, opendns, security, university, unix, WiFi, Windows

Previous post:

Next post: