Slashdot Mirror

← Back to Stories (view on slashdot.org)

Patch DNS Servers Faster

Posted by kdawson on from the hard-times-coming dept.

51mon writes "Austrian CERT used data from one of their authoritative DNS server to measure the rate at which the latest DNS patch (source port randomization) is being rolled out to larger recursive name servers. While about half the traffic (PDF) they receive is now using source port randomization, their data suggest that this is due to ISPs who roll out such fixes immediately. The rate of patching has fallen to disappointingly low levels since. If your ISP isn't patched, perhaps it is time to switch." After details of the DNS vulnerability leaked, researchers |)ruid and HD Moore released attack code; ZDNet's security blog has an analysis.

7 of 145 comments (clear)

  1. Re:Switch DNS Servers, NOT ISPs by masdog · · Score: 5, Informative

    You can change this in your DHCP or IP configuration settings on your home router or PC. On my home network, for instance, my DD-WRT router isn't running a DNS server on it, and the DHCP static DNS settings are set for my Server 2008 box and the two OpenDNS resolvers. My Server 2008 box also has its forwarders set to OpenDNS.

    That's probably more complicated than it needs to be, but better safe than sorry.

    On Windows XP, 2000, and I think Vista, you can tell Windows to ignore the DNS server settings provided by DHCP by going into the IP properties for the connection and hard coding in the IP addresses under Local Area Connection Properties > Internet Protocol Properties > Use the Following DNS Server Addresses.

    This can also be done under linux, but I don't know the particular commands for it.

    --
    My Sysadmin Blog
  2. Re:Am I safe? by masdog · · Score: 5, Informative

    Dan Kaminski's website has a DNS checker on it.

    --
    My Sysadmin Blog
  3. Re:Am I safe? by Nos. · · Score: 3, Informative

    There's a couple issues with the one Dan created. First, its slashdotted. Secondly, some ISPs don't allow querying from just anywhere, only from its own customers (IPs). Here's a test you can run from any machine with dig on it:
    https://www.dns-oarc.net/oarc/services/porttest

  4. Re:Am I safe? by Lennie · · Score: 4, Informative

    dig +short porttest.dns-oarc.net TXT

    --
    New things are always on the horizon
  5. Re:Switch DNS Servers, NOT ISPs by Ciarang · · Score: 5, Informative

    It always surprises me how much love there seems to be for OpenDNS on /.

    A DNS server returns you a result, or tells you that it can't resolve the domain. Instead of doing the latter, OpenDNS redirects you somewhere you didn't intend to go and attempts to hit you with some advertising. That seems more like typosquatting to me, although admittedly it's with your permission.

  6. Re:Rediculious requirements by billcopc · · Score: 4, Informative

    You can restrict it to a port range... even giving it access to 2048 ports gives you 2^11 randomness, which is still better than 2^0.

    The issue I'm facing, which I find terribly frustrating, is in upgrading older distros. I'm now looking at completely reinstalling a bunch of older BSD servers just to get this idiotic vulnerability resolved, because the maintainers aren't backporting the patch and upgrading BIND itself would be a royal pain. Given how DNS servers tend to run unattended for eons, I suspect this near-sightedness is respnosible to a large degree for the slow patching. It's not that I don't want to patch my servers, it's that I now have to waste a day at the colo doing physical reinstalls. If it weren't for that hitch, I'd be done already!

    --
    -Billco, Fnarg.com
  7. Re:Switch DNS Servers, NOT ISPs by eln · · Score: 4, Informative

    resolv.conf will be written over by DHCP unless you set PEERDNS=no in the /etc/sysconfig/network-scripts/ifcfg-ethX file.