Full Explanation of DNS Security Hole No Other Domainer Seems Worried About But Me.

[Tia Wood]

I posted a thread about the DNS security hole which received no response from domainers. Perhaps I should have explained that it totally disables your ability to earn revenue from affiliates and parking programs, if effected.

Oh, and it doesn't need your consent nor trip any alarms of any kind and rendors your firewalls, usernames and passwords completely useless, not to mention it doesn't need your ISP, hosting server or domain company's permission to do what it wants with your domain.

Full Article >>

Quote from Article:

This past week at Black Hat 2008, Kaminsky finally revealed the actual details of the bug he discovered. The design flaw makes it a great deal easier to poison a name server’s cache, voiding any trust in query results from that name server. In order to understand the magnitude of the bug, we need to be familiar with how a DNS query works, so lets’ start there.

In my example, I’m controlling when my ISP’s name server is sending out a DNS query. If my query for 11.techrepublic.com didn’t work, all I have to do is try 12.techrepublic.com and go through the same process until I get a collision. I’ll know when that happens, as I’ll get DNS information for 11 or 12.techrepublic.com from my ISP.

There are several concepts in play here that make this cache poisoning attack vector extremely onerous, they are:

* Since the DNS query response was “in bailiwick”, my ISP’s name server thinks the IP addresses that I gave it are authoritative for the whole techrepublic.com domain.
* I can set the TTL of the FQDN/IP address information to an extremely large amount; it’s a 32-bit number. That way the false DNS information will not expire.
* I can now setup phishing web sites that will not trip any alarms or phishing filters.
* This design flaw is present in every recursive name server.

More details here:

An Illustrated Guide to the Kaminsky DNS Vulnerability (excellent read)
New exploit poisons patched DNS servers, claims researcher
ISACA Says Major DNS Flaw Affecting Email Comes as No Surprise
Apple Security Patch Flubs DNS Fix

More Reading:

Seems to be something we can do for now:

Seems to be a service called "OpenDNS" is what people are switching to for now. I'm not sure how it works but worth looking into. However, there is one downside:

Note that OpenDNS is able to provide its services for free because it changes how your browser behaves when you enter a non-existent URL, say for asdfjklasjxznn.com. If you enter that URL using your normal DNS servers, you'll get a standard "page not found" error message. If you load that URL using OpenDNS, however, you'll see the image at right (click the image for a larger version). The ads you see there are what help OpenDNS pay for its services. If the prospect of seeing such ads when you enter a bad URL concerns you, then you'll want to pass on this solution. For me, though, it's a small price to pay for an excellent free service.

More Ways to Protect Yourself From Phishing
OpenDNS Offers DNS Vulnerability Protection
OpenDNS Wildly Popular After Kaminsky Flaw Disclosure

Smaller ISPs at risk to DNS flaw

Telstra, Optus, Internode and iiNet have confirmed to Computerworld their DNSs are patched, however, sources reveal many DNS admins have yet to fix the flaw, despite being notified by security researchers, and nagged by concerned ISPs and Web masters.

Patch domain name servers now, says DNS inventor

Paul Mockapetris, inventor of the Internet's Domain Name System architecture, has some advice for those in any doubt about the seriousness of a weakness in the DNS protocol that was disclosed yesterday: Patch your DNS servers right now.

The vulnerability and the attack it enables are among the most dangerous to have been discovered in the DNS protocol so far, Mockapetris said in an interview with Computerworld Wednesday morning.

"It's absolutely critical for IT managers to upgrade their software. They want to make very sure that the caching servers on their perimeters are up to snuff," Mockapetris said. In addition, they need to also ensure that client devices such as DSL modems that might have DNS software embedded in them are properly patched. "The time to fix is now. The clock is ticking," before exploits against the flaw become widely available, he said.

Is Your Domain Parking Service Vulnerable to DNS Cache Poisoning?

Many domainers don’t own web sites, but they certainly have their domains parked on other people’s name servers. Are you vulnerable? Internet Assigned Numbers Authority (IANA) has a new tool available to find out.

I tested the nameservers for many of the parking companies and found they are safe: Parked.com , Sedo , and Dotzup .

Microsoft warns: get your DNS flaw fix now

Microsoft is not currently aware of active attacks utilizing this exploit code or of customer impact at this time. However, attacks are likely imminent due to the publicly posted proof of concept and Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary. Microsoft’s investigation of this exploit code has verified that it does not affect Microsoft customers who have installed the updates detailed in Microsoft Security Bulletin MS08-037.

A cheatsheet for defending against the DNS flaw

The only omission in their instructions is the need to make this change for every type of network connection. On a laptop computer, for example, you would need to modify both the network connection for wired Ethernet and also the Wi-Fi network connection. If you use dial-up, that too, needs to be modified.

 

[fab]

You seem to be a real Techy Mega!

 

[Tia Wood]

You seem to be a real Techy Mega!

I'm assuming you think I wrote the article, lol. Michael Kassner did here.

 

[stock_post]

What can do about the threat? (as individual or small domain owner)

 

[Tia Wood]

What can do about the threat? (as individual or small domain owner)

Unfortunately there's nothing you or we can do. It's something on the hardware, ISP, software end that each provider needs to patch. They seem to be moving quick about it (but not fast enough imo). I'm not a computer tech by any means but one doesn't need to be to understand how serious this can get.

For those that still don't understand: DNS is the core of how domain names resolve to IPs on the internet. For instance, every time you point a domain using nameservers, that is dependent on DNS technology. What this vulnerability does is allow a malicious user to resolve your domain name to any webserver, parking page, etc that he/she wants.

It doesn't seem to be anything that should cause a wide spread panic right now unless a bunch of websites start doing weird things. However, I'm just completely amazed at this vulnerability as we all had complete trust in the way DNS works.

Anyone else as scared as I am, lol?

More details here:

An Illustrated Guide to the Kaminsky DNS Vulnerability (excellent read)
New exploit poisons patched DNS servers, claims researcher
ISACA Says Major DNS Flaw Affecting Email Comes as No Surprise
Apple Security Patch Flubs DNS Fix

 

[HarveyJ]

Tia, the problem isn't that people don't care, it's just that most people here can't do a thing about it.
I've noticed that both on the domaining and affiliate marketing forums, most people have very little concept of how networked systems, or even computers, actually operate. There's a real irony in that nerds aren't the ones monetizing the internet. They're usually too busy plugging away in (relatively) low paying coding jobs to make the infrastructure that makes other people really rich.
I'd say this is the reason why there are even people on this forum that think that Y2K was a hype issue (and one person that even seems to think there wasn't even a problem because nothing bad actually seemed to happen)

Also, I cast doubt on your nerdiness...
Everyone knows women can't be nerds unless grotesque in appearance

 

[south]

http://cr.yp.to/djbdns/blurb.html

 

[WebsiteTraders.Com]

another reason to have a quality host & registrar.

 

[hyped]

another reason to have a quality host & registrar.

It doesn't matter who your registrar is. What matters are ISP's that are unpatched.

Say you own exampledomain.com, and my ISP is unpatched. Someone could execute this attack, create a dns entry for exampledomain.com that your ISP would cache, and then anyone connected to the internet through my unpatched ISP who queries that domain will be brought to the IP address that the attacker specified.

 

[Stian]

Great article Tia! I have read a little about the DNS exploit earlier, but you've really put together an excellent post which explains it all. Thanks!

 

[simon johnson]

Great post Tia.

As a domainer, entrepreneur and closet techo I'm not overly concerned. The majority of hard core unix geeks that need to patch their DNS servers have already done so.

The only thing out of left field which could come and bite you is if you have your own DNS server running on a dedicated server somewhere. If you have some sort of CPanel installed that's not set to automatically update patches etc.. then you'll probably be in a bit of trouble.

For me its the old 80/20 rule. Most people will patch, but there will be a few big corporates that will get caught out and hit.

Personally I wouldn't use OpenDNS as I don't know enough about them to trust the service. They are also ad supported (thats how they offer it for free) and I really don't want more ads in my life. Aside from that they have typo filters and things that probably don't gel with the average domainer. ;-)

 

[cyberdomainer]

Great post, it worries me as well

 

[VirtualT]

I suppose it depends how many domainers have sites that earn revenues large enough to make it a target for someone to explicitly create a poisoned record for