Has your DNS been patched?

[Thrillhouse]

So, if you've been perusing the tech sites lately (and more specifically, security sites) like I do, you've probably seen articles about the recent flaw that has been discovered in DNS. If not, you can read up on it here or here. The details of the vulnerability are actually quite interesting but I really didn't think anything of it until I went home the other night and tried to access this very site from my Verizon FIOS Internet connection. I have http://www.linuxforums.org/forum/ bookmarked in my browser and when I tried to connect to it the other night, I was redirected to my ISP's search page where it told me that the name could not be found. I thought that was odd so I googled "LinuxForums" found this site as the first hit and tried to follow the link to the forums where I found the same page I saw originally. At that point, being the genius that I am, I put two and two together and realized it's possible my ISP's DNS servers may be poisoned. I was actually quite surprised seeing as how in one of the articles I read, the author claimed that most of the big DNS providers have already implemented the patch and that everything is hunky dory. I would have thought Verizon would fall into that group but apparently not.

After a lot more reading, I eventually stumbled upon Dan Kaminksy's blog. He's the original researcher who found the flaw. And right there on the side of a page is a nice little utility which tells you (in a general sense) how vulnerable your DNS server may be. So, from my computer at home, I clicked on it and it said:

Your name server, at xx.xx.xx.xx, may be safe, but the NAT/Firewall in front of it appears to be interfering with its port selection policy. The difference between largest port and smallest port was only 37.

On a whim, I changed my DNS settings to point to OpenDNS servers and found that the message no longer appeared and now I was getting this:

Your name server, at 208.67.217.6, appears to be safe.Requests seen for 7dfe01ffe61e.toorrr.com:
208.67.217.6:37859 TXID=19077
208.67.217.6:35829 TXID=30222
208.67.217.6:20173 TXID=11724
208.67.217.6:59600 TXID=58662
208.67.217.6:20734 TXID=47171

And sure enough, connecting to LinuxForums worked like a charm after that. Slashdot verifies the patch has been made to OpenDNS.

So, I would suggest checking your DNS server(s) against Kaminsky's blog and taking the appropriate measures to make sure you're not at risk. What's even more interesting is I tried the check from work this morning and got this:

Your name server, at xx.xx.xx.xx, appears vulnerable to DNS Cache Poisoning.
All requests came from the following source port: xx

Due to events outside our control, details of the vulnerability have been leaked. Please consider using a safe DNS server, such as OpenDNS. Note: Comcast users should not worry.

[Lazydog]

No need for all of this. ISC already has a patch out for this.

[Thrillhouse]

Well, yes, but everybody has the patch by this point. The rub is in applying the patch without disrupting service and there aren't too many people who have been able to do that. This is what happens when an important vulnerability is discovered; the fix is made in haste giving administrators little time to work out the kinks.

I'll probably be staying with OpenDNS for at least another few days. They seem to be having the least amount of trouble adjusting.