opinion about DNS Exploit fix

Blind_Pew · Joined: Oct 27, 2006 Posts: 168

Looking for input about this its from PC World Steve Bass news letter.
Its a free fix for DNS exploit.
This is link to article
http://blogs.pcworld.com/tipsandtweaks/archives/007444.html
This is fix he suggested (Link) https://www.opendns.com/start
I thought about using it. Just as another piece of security.I am behind a Netgear VPN Fs318 Firewall router

Thanks Blind_Pew

Baby_Tux · Joined: Mar 06, 2007 Posts: 1242

I checked into this & sounds OK (I am definitely all for open source stuff) but if your ISP has patched there DNS servers then you already have basically the same thing. I saw (somewhere, can't recall - google?) a link to a site that lets you check your ISP's DNS for the patch. I recommend you do that & if OK, I'd just leave it at that.

Also, it is said that you should STILL patch your own machine. Personally, I have mixed thoughts as to whether that is really necessary but am still gathering info on it.

The patching of your machine, if you feel OK about M$'s crapola to do the update, go ahead. That's up to you. - personally, I don't, thus the checking - although, AT THIS POINT, it looks to be something that needs to be done but I'm still not sure so would rather not recommend either way at this time.

BTW: I also read that the "FIXING" is flawed & thought to be temporary at best & just will slow the exploit down. Don't know, I guess we'll see...

louis-the-cat · Joined: May 13, 2006 Posts: 307

Here's a site that lets you check the DNS..........if anybody can trust any site, anywhere, anymore. Confused

http://www.doxpara.com

goretsky

Hello,

I have been using the OpenDNS service for a while with no problems noted.

Chris Pirillo recorded a video here on YouTube discussing the DNS flaw and using the OpenDNS service to avoid it.

Regards,

Aryeh Goretsky

Baby_Tux · Joined: Mar 06, 2007 Posts: 1242

louis-the-cat · Joined: May 13, 2006 Posts: 307

It looks as though my dns is "safe".......So i'm kinda thinking "wait and see" and "if it ain't broke...."

However from what I can see there are other security advantages to using open dns.....in particular, i can configure open dns not just on my Pc but my router.

Now since all the members of my family ( wife & 2 teenages) all surf away on their own machines, and I have serious doubts about their security consciousness at times, Rolling Eyes

I can configure the router to block phishing sites etc.

I've got a question though.....so any thoughts would be appreciated....is it true or an urban myth that the problem isn't really a problem in Europe?

and

how long will it be before open dns gets compromised?

and

does the tie up between open dns and yahoo present me with any privacy issues?

Blind_Pew · Joined: Oct 27, 2006 Posts: 168

Interesting situation check my ISP DNS on two sites secure on both
used this one too https://www.dns-oarc.net/.
Think along the same lines as you louis-the-cat if it ain't broke.
And you know there is a 12 year old somewhere trying his best to hack Open DNS

drwho07 · Joined: Nov 29, 2007 Posts: 2240 Location: Central FL, USA

It may be just me or the bad weather but I'm not fully understanding what all the fuss is about!

How does this DNS thingy relate to the DNS service in Windows, which I always shut OFF?
Or are they even related?

Just curious (I'm probably not the only one....)

Doc Cool

Baby_Tux · Joined: Mar 06, 2007 Posts: 1242

Well Doc, that is one of the things I am trying to figure out. As it seems to me that if the server is capable of giving you the right IP address for a given domain name, what is the problem? But there is supposed to be some exploitable problem in the way a client ask for such info, so not sure WHAT to think. But there again, if you set your HOSTS file to go directly to the site yourself or use the IP address in the address bar instead of the host name then you don't even NEED the DNS in the first place. AND are TRULY safe. So again, not sure what to think. (of course YOU probably already know this)

Louis - I would think that if one group has it, ALL do as I do believe everyone is using the same DNS protocal. As for hacking the open source, NOTHING is 100%, But having it OPEN, all can look at it & see if it has been compromised in the source code. That is the one advantage to open source. Privacy? not sure, but if you are concerned, best stay away from such (IMO yahoo) as much as possible.

goretsky

Hello,

Baby_Tux, what you might want to do is read this article written by Paul Vixie on the vulnerability. Vixie is the primary author of BI ND, which is the most widely-used DNS software in the world. Although the tone of the message is a little curt, I think it is understandable given the amount of activity going on around the issue at the time.

U.S. CERT, which is operated in part by the U.S. Department of Homeland Security, issued this advisory about the vulnerability, which should give you an idea of the seriousness with which they are treating it.

You can try using DNS-OARC's DNS Test tool to see if your ISP's DNS servers are affected, if you would like a second opinion from Dan Kaminsky's own test for the vulnerability.

If the tests report that your DNS servers are vulnerable, what you might want to do is contact your Internet service provider and ask them whether they think the vulnerability is a threat or not, whether they will be updating their DNS servers and if they think using a service like OpenDNS, at least temporarily, is a good idea.

Regards,

Aryeh Goretsky

goretsky

Hello,

DrWho07, what happened, in a nutshell, is that computer security researcher Dan Kaminsky found a way to change the results given by domain name system (DNS) servers.

DNS servers provide the service that allows computers to look up the IP addresses of hostnames so those computers can then establish a connection to them. One thing that DNS servers do is maintain a cache (history) of these lookups in order to more speedily respond to requests. It is similar in concept to the URL history in your web browser, although it is done for different reasons, such as to speed access to sites and conserve bandwidth used by DNS servers to look up the results for sites they do not know.

What Kaminsky found was that it was possible to "poison" the cache of DNS servers, so that they send out the wrong IP addresses. As a result, someone going to any web site, such as a search engine, web-based email service, bank, et cetera would instead go to the site the attacker chose, all with the "correct" address being displayed in the URL field of the web browser. Bear in mind, though, it does not have to be a just a web site that is "hijacked" in this fashion. It could also be done for mail servers, time servers, software update servers, instant messaging servers or any other kind of service which is accessed via a host name.

Microsoft released security bulletin MS08-037 on the issue with an accompanying knowledgebase article here. While computers running Microsoft Windows are vulnerable, it is more likely--at least in a SOHO environment--that their ISP's DNS servers are going to be targeted and not end-users' computers, since it makes more sense for an attacker to go after a DNS server used by thousands or tens of thousands of computers, instead of the individual computers themselves.

Regards,

Aryeh Goretsky

louis-the-cat · Joined: May 13, 2006 Posts: 307

I don't know the difference between a DNS Cache and a can of baked beans, so, here's one of the best explanations I've found about what all this is about. It's got pictures and examples and EVERYTHING Very Happy

http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html

eric_s · Joined: Jul 16, 2003 Posts: 43 Location: Western Canada

I thought I understood the Internet and could find my way around, but now I know that I'll need more time studying the basics. The link provided was instructional and has encouraged me to dig deeper into the underpinning of the Internet.

Baby_Tux · Joined: Mar 06, 2007 Posts: 1242

The more I delve into this the more I'm understanding, and what is posted here pretty much sums it up if anyone else is inclined to want to know. But I am also, finding two camps, those that think this is a very serious problem & needs immediate attention & those that think that it really isn't as big a deal as it is made out to be. Me, I'm still sitting on the fence as I can see points from both camps & even though I am better informed & (I think) totally understand DNS now, as for what should be done about it is no further in my mind than it was to begin with.

I ran the checks on my ISP - & it appears to be OK - My fedora (client) is patched but the XP boxes are not do to the crapola M$ makes you go through to do it. I do believe if it weren't for that, I'd have them all patched & wouldn't be having this discussion. So maybe it is more an issue with the way M$ does there patch distributing than anything else. At least for me anyway... If only I could just get the patch.

BTW: does anyone know FOR SURE if the patch is in SP3?

zlim · Joined: Mar 11, 2005 Posts: 2747

Baby_Tux, this problem is with the internet so patching your computer is not the entire solution. The hosting servers need patching. My understanding is that Comcast (my ISP is okay) but some other ISPs either don't understand the need to patch or are oblivious that there is a problem.

If you aren't sure about your ISP, then change the DNS servers to Open DNS, which is patched.
The IPs are:
208.67.222.222
208.67.220.220

Info: http://www.opendns.com/features/overview/

Baby_Tux · Joined: Mar 06, 2007 Posts: 1242

Thanks, ZLIM, but I already have that info. My ISP is patched (at least that is what the test say) - & so is my linux box - so the ONLY thing left is to decide if I really need to patch the XP boxes and / or if it is worth the M$ hassle to do it. If SP3 has it in it, I'll go that route.

louis-the-cat · Joined: May 13, 2006 Posts: 307

sorry tux, i don't understand. If your ISP has patched their servers ( or at least put in the temporary "randomising" fix meantime) why do you ( or any of us) need to patch "xp boxes".

Am I missing something?

Baby_Tux · Joined: Mar 06, 2007 Posts: 1242

That was pretty much my thoughts too as I mentioned in the response to DOC.

But, it is because of the way that the clients communicate with the servers. The clients cache can be "poisoned" too, causing the server or the client cache to direct the browser to the wrong site. This is a great deal more difficult with the server patched, though. And the patch for the client does provide better DNS security by increasing the randomization of the communication between the client and the DNS server. - I think someone mentioned this here or in one of the links & probably did better than I can at explaining this. But I hope this at least helps.

Now the REAL question in THIS is whether any CLIENTS would ever be attacked, as it would be far more destructive to hit the servers. There too, and this is my hypothesis at the moment, is all this will be just like the Y2K thing. Only time will tell, I guess.

goretsky

Hello,

Microsoft Windows XP Service Pack 3 was released in May, 2008. The patch for the DNS vulnerability was released in July, 2008, and the Microsoft Security Bulletin for the issue states that computers running Service Pack 3 are vulnerable, so it would be a good idea to install the patch even if Service Pack 3 is present.

A few years ago, Microsoft (specifically Steve Ballmer, I believe) made the decision to make security-related software updates for Microsoft Windows available to people who were pirating their software, had failed to pass the WGA check or refused to use the service. It was a fairly pragmatic decision: Vulnerabilities in an operating system are going to get exploited regardless of whether or not the operating system is a legal copy and, those computer are going to host malware, send spam and attack other computers. By enabling Automatic Updates for everyone, Microsoft stands a better chance of protecting everyone who uses Windows.

So, if Automatic Updates is enabled on your computers, they will download the patch. Or, you can do it manually, if you like.

Regards,

Aryeh Goretsky

Baby_Tux · Joined: Mar 06, 2007 Posts: 1242

Thanks for the info on SP3 - that is what I figured but wanted some conformation, as the info I kept getting always ended up vague. - guess I just didn't hit the right spot. (until now) Again thanks.