DNS getting lots of attention today
There are some really smart guys over at IOActive and one of them happens to be Dan Kaminsky. I’ve met Dan once, read some of his stuff, and heard a bunch of interesting stories….I sure am glad that I’m not on his shit list. A few months back Dan was playing around with DNS and found a flaw, this isn’t too surprising because after all that is what this guy does. It wasn’t just any flaw however, it was a major flaw that was serious enough to bring together multiple vendors to work on a solution and coordinate a release date for a patch.
Can you remember when vendors all joined hands, worked together, came up with a solution, and coordinated a single day to release the patch? Not only that, but this has been kept under wraps really well over the past 4+ months while it has been talked about and worked on. To me that is more impressive than any patch that is released.
Anyway, back to the DNS stuff. Today is the patch release day and the short story is that you should patch your name servers ASAP. You should really patch all your systems as DNS clients are at risk also, but name server are the most important to patch. You not only need to worry about your internal DNS servers, but also your upstream servers. Dan has a link on his site that will allow you to test whether or not you are “safe”. If you try this and it reports back that your upstream provider is vulnerable shoot them an email to find out when they plan on patching, or start using another DNS server that is patched.
Usually a patch is released with all the gory details of the vulnerability, but the exact details of this flaw have not been released yet. Dan plans on releasing the details during his presentation in Vegas at Black Hat which is a month away. The rationale here is that delaying the release of details will buy some time for systems to be patched before exploits start popping up. Don’t assume this means people won’t reverse engineer the patch sooner…..go patch.
CERT has released a vulnerability note with some details. You can find some decent info in there, including some vendor notes. Rich Mogull over at Securosis has a good write up and an interview with Dan that I recommend you listen to.
Oh and did I mention….go patch. 😉
Dan Kaminsky has updated his blog with a post about this whole thing.
Chris Eng from Veracode has an interesting post surrounding this as well.
Filed under: Security | 2 Comments
Tags: CERT, Dan Kaminsky, DNS, Kaminsky, patches, vulnerability