Slashdot Mirror

← Back to Stories (view on slashdot.org)

Patch DNS Servers Faster

Posted by kdawson on from the hard-times-coming dept.

51mon writes "Austrian CERT used data from one of their authoritative DNS server to measure the rate at which the latest DNS patch (source port randomization) is being rolled out to larger recursive name servers. While about half the traffic (PDF) they receive is now using source port randomization, their data suggest that this is due to ISPs who roll out such fixes immediately. The rate of patching has fallen to disappointingly low levels since. If your ISP isn't patched, perhaps it is time to switch." After details of the DNS vulnerability leaked, researchers |)ruid and HD Moore released attack code; ZDNet's security blog has an analysis.

3 of 145 comments (clear)

  1. Switch DNS Servers, NOT ISPs by masdog · · Score: 5, Insightful

    You don't need to switch to a new ISP if they haven't patched yet - just switch to a new DNS server such as OpenDNS.

    --
    My Sysadmin Blog
  2. Monopoly by Anonymous Coward · · Score: 5, Insightful

    If your ISP isn't patched, perhaps it is time to switch.

    My ISP has a monopoly over internet services in my area you insensitive clod.

  3. Rediculious requirements by Coolhand2120 · · Score: 4, Insightful
    Maybe if the patch didn't require that open up all incoming and outgoing UDP ports on the DNS interface I could implement it faster. Seeing how most people use firewalls it makes it really quite a bit more difficult than just "apply the patch".

    NOTE WELL: This update causes BIND to choose a new, random UDP port for each new query; this may cause problems for some network configurations, particularly if firewall(s) block incoming UDP packets on particular ports.

    I'll get this patch applied as soon as I reconfigure my entire network topology.