Slashdot Mirror

← Back to Stories (view on slashdot.org)

Massive, Coordinated Patch To the DNS Released

Posted by kdawson on from the pretty-much-everybody dept.

tkrabec alerts us to a CERT advisory announcing a massive, multi-vendor DNS patch released today. Early this year, researcher Dan Kaminsky discovered a basic flaw in the DNS that could allow attackers easily to compromise any name server; it also affects clients. Kaminsky has been working in secret with a large group of vendors on a coordinated patch. Eighty-one vendors are listed in the CERT advisory (DOC). Here is the executive overview (PDF) to the CERT advisory — text reproduced at the link above. There's a podcast interview with Dan Kaminsky too. His site has a DNS checker tool on the top page. "The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not [immediately] reveal the vulnerability and reverse engineering isn't directly possible."

6 of 315 comments (clear)

  1. Re:Hmmm by outZider · · Score: 4, Insightful

    Because it isn't 1912, and we aren't on the Titanic. They can say with reasonable confidence that it's difficult to find the underlying issue, but nothing is hackproof, or sinkproof, or lameproof.

    --
    - oZ
    // i am here.
  2. Re:More independent verification needed by Penguin+Follower · · Score: 4, Insightful

    So you are insinuating that all system admins also have to be programmers? There are plenty of people with the skills to set up, maintain, and secure (properly) systems of all kinds (*nix, Windows, Macs, Cisco equip) who are NOT programmers. Some people are not cut out to be programmers, but are quite capable outside of that realm...

  3. Re:More independent verification needed by Schraegstrichpunkt · · Score: 4, Insightful

    Right... How many otherwise competent sysadmins do you know who can't C code? I've known plenty. Usually the good coders get jobs as coders, rather than as sysadmins.

    --
    http://outcampaign.org/
  4. Re:More independent verification needed by lukas84 · · Score: 5, Insightful

    Why the sarcasm? If you're hiring sysadmins who aren't also system-level developers, you're not hiring people who can Do The Job Right.

    People with that amount of expertise will hardly be challenged by sysadmin position. And without a challenge you'll get bored. As such, you'll never find people with such high qualifications in sysadmin position.

    A sysadmin of course needs to know his stuff, and especially a unix sysadmin should be able to read C code and get the basics (and have extensive knowledge in scripting languages).

    But i doubt that understand the gritty details how bind works (or reading a DNS packet with just a hex editor) is something that can be expected from a sysadmin.

    But i also might just be defending my lack of knowledge, so beware :)

  5. Re:Oh cool! by GeffDE · · Score: 5, Insightful

    Seriously, is an IP address too much to ask?

    Article should be modded +1 Ironic because the links necessitate the use of DNS...at the very least, the DNS checker should have been a straight IP.

    WTF?

    --
    It has been a nervous year, with people beginning to feel like Christian Scientists with appendicitis.
  6. Re:So give a layman explanation by deathsyn · · Score: 5, Insightful

    Dan Kaminsky discovered a basic flaw in the DNS that could allow attackers easily to compromise any name server; it also affects clients.

    If you don't understand that, you don't need to care.

    What's funny is that the CERT advisory gives Dan Bernstein credit for the work around, which he came up with over 7 years ago.