Slashdot Mirror

← Back to Stories (view on slashdot.org)

Patch DNS Servers Faster

Posted by kdawson on from the hard-times-coming dept.

51mon writes "Austrian CERT used data from one of their authoritative DNS server to measure the rate at which the latest DNS patch (source port randomization) is being rolled out to larger recursive name servers. While about half the traffic (PDF) they receive is now using source port randomization, their data suggest that this is due to ISPs who roll out such fixes immediately. The rate of patching has fallen to disappointingly low levels since. If your ISP isn't patched, perhaps it is time to switch." After details of the DNS vulnerability leaked, researchers |)ruid and HD Moore released attack code; ZDNet's security blog has an analysis.

9 of 145 comments (clear)

  1. Switch DNS Servers, NOT ISPs by masdog · · Score: 5, Insightful

    You don't need to switch to a new ISP if they haven't patched yet - just switch to a new DNS server such as OpenDNS.

    --
    My Sysadmin Blog
    1. Re:Switch DNS Servers, NOT ISPs by Ciarang · · Score: 2, Insightful

      It's completely different, otherwise they wouldn't be my ISP.

  2. Am I safe? by Anonymous Coward · · Score: 1, Insightful

    How can I know if my ISP has patched its DNS servers?

    1. Re:Am I safe? by Anonymous Coward · · Score: 1, Insightful

      Thanks!!!! My DNS is safe. I know this to be true cause I used your dns checker....

  3. Monopoly by Anonymous Coward · · Score: 5, Insightful

    If your ISP isn't patched, perhaps it is time to switch.

    My ISP has a monopoly over internet services in my area you insensitive clod.

  4. time to switch? by Dunbal · · Score: 3, Insightful

    If your ISP isn't patched, perhaps it is time to switch.

          Thanks to the "free market economy" in my capitalist country I can't switch, you insensitive clod!

    --
    Seven puppies were harmed during the making of this post.
  5. ISP DNS by spottedkangaroo · · Score: 1, Insightful

    Who uses their ISPs DNS servers? Most people probably. Well, I don't trust them. My friends and I run a recursing nameserver that we access over a VPN link.

    ISPs just aren't trustworthy.

    --
    Imagine if you weren't allowed to use roads because a bus company complained about your driving 3 times. --skunkpussy
  6. Rediculious requirements by Coolhand2120 · · Score: 4, Insightful
    Maybe if the patch didn't require that open up all incoming and outgoing UDP ports on the DNS interface I could implement it faster. Seeing how most people use firewalls it makes it really quite a bit more difficult than just "apply the patch".

    NOTE WELL: This update causes BIND to choose a new, random UDP port for each new query; this may cause problems for some network configurations, particularly if firewall(s) block incoming UDP packets on particular ports.

    I'll get this patch applied as soon as I reconfigure my entire network topology.

  7. OpenDNS is not the best answer by rfunk · · Score: 2, Insightful

    OpenDNS returns their own search page for bad lookups, rather than NXDOMAIN, breaking various things. They also send queries for www.google.com to their own server. (I wrote about this recently.)