DNS getting lots of attention today


There are some really smart guys over at IOActive and one of them happens to be Dan Kaminsky.  I’ve met Dan once, read some of his stuff, and heard a bunch of interesting stories….I sure am glad that I’m not on his shit list.  A few months back Dan was playing around with DNS and found a flaw, this isn’t too surprising because after all that is what this guy does.  It wasn’t just any flaw however, it was a major flaw that was serious enough to bring together multiple vendors to work on a solution and coordinate a release date for a patch.

Can you remember when vendors all joined hands, worked together, came up with a solution, and coordinated a single day to release the patch?  Not only that, but this has been kept under wraps really well over the past 4+ months while it has been talked about and worked on.  To me that is more impressive than any patch that is released.

Anyway, back to the DNS stuff.  Today is the patch release day and the short story is that you should patch your name servers ASAP.  You should really patch all your systems as DNS clients are at risk also, but name server are the most important to patch.  You not only need to worry about your internal DNS servers, but also your upstream servers.  Dan has a link on his site that will allow you to test whether or not you are “safe”.  If you try this and it reports back that your upstream provider is vulnerable shoot them an email to find out when they plan on patching, or start using another DNS server that is patched.

Usually a patch is released with all the gory details of the vulnerability, but the exact details of this flaw have not been released yet.  Dan plans on releasing the details during his presentation in Vegas at Black Hat which is a month away.  The rationale here is that delaying the release of details will buy some time for systems to be patched before exploits start popping up.  Don’t assume this means people won’t reverse engineer the patch sooner…..go patch.

CERT has released a vulnerability note with some details.  You can find some decent info in there, including some vendor notes.  Rich Mogull over at Securosis has a good write up and an interview with Dan that I recommend you listen to.

Oh and did I mention….go patch.  😉


Dan Kaminsky has updated his blog with a post about this whole thing.

Chris Eng from Veracode has an interesting post surrounding this as well.


2 Responses to “DNS getting lots of attention today”

  1. 1 DMB411

    Glad to see you are writing more regularly again. Thanks for writing about this and for the links. So do you think this is as major an issue as everyone is making it out to be?

  2. 2 Dan

    Yes and No.

    The vulnerability could potentially have a serious impact on a large scale if it were exploited so I would agree that it is a major issue that needs to be addressed ASAP. On the other hand, DNS was never an absolutely secure protocol to begin with so to think that this news means you need to storm into your CEO’s office and tell him everything needs to get shut down mid-day so that you can install the patches would be overkill.

    Update your name servers as soon as possible to mitigate the largest risk. For everything else I would treat this vulnerability equal to any other vulnerability that impacts the majority if not all of your systems. Follow your normal procedure for patch management and get these applied in a timely manner. If you don’t have a normal procedure….then now is a good time to put one together. It doesn’t have to be done today, but I wouldn’t put it off too long without a really good reason.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: