Patch DNS Servers Faster

51mon writes "Austrian CERT used data from one of their authoritative DNS server to measure the rate at which the latest DNS patch (source port randomization) is being rolled out to larger recursive name servers. While about half the traffic (PDF) they receive is now using source port randomization, their data suggest that this is due to ISPs who roll out such fixes immediately. The rate of patching has fallen to disappointingly low levels since. If your ISP isn't patched, perhaps it is time to switch." After details of the DNS vulnerability leaked, researchers |)ruid and HD Moore released attack code; ZDNet's security blog has an analysis.

Switch DNS Servers, NOT ISPs

[masdog]

You don't need to switch to a new ISP if they haven't patched yet - just switch to a new DNS server such as OpenDNS.

Re:Switch DNS Servers, NOT ISPs

[masdog]

You can change this in your DHCP or IP configuration settings on your home router or PC. On my home network, for instance, my DD-WRT router isn't running a DNS server on it, and the DHCP static DNS settings are set for my Server 2008 box and the two OpenDNS resolvers. My Server 2008 box also has its forwarders set to OpenDNS.

That's probably more complicated than it needs to be, but better safe than sorry.

On Windows XP, 2000, and I think Vista, you can tell Windows to ignore the DNS server settings provided by DHCP by going into the IP properties for the connection and hard coding in the IP addresses under Local Area Connection Properties > Internet Protocol Properties > Use the Following DNS Server Addresses.

This can also be done under linux, but I don't know the particular commands for it.

Re:Switch DNS Servers, NOT ISPs

I had been using OpenDNS. I stopped when I realized they were monitoring my traffic. When I go to Google, they were returning their own Google-like page, to which my browser would submit the query, and then redirect me to Google.

I stopped using them after that discovery.

Re:Switch DNS Servers, NOT ISPs

[Woy]

I used OpenDNS and gave it up because it replaced firefox's feature to search google with what you type on the address bar with its own crappy search.

Re:Switch DNS Servers, NOT ISPs

[Ciarang]

It always surprises me how much love there seems to be for OpenDNS on /.

A DNS server returns you a result, or tells you that it can't resolve the domain. Instead of doing the latter, OpenDNS redirects you somewhere you didn't intend to go and attempts to hit you with some advertising. That seems more like typosquatting to me, although admittedly it's with your permission.

Monopoly

If your ISP isn't patched, perhaps it is time to switch.

My ISP has a monopoly over internet services in my area you insensitive clod.

Re:Am I safe?

[masdog]

Dan Kaminski's website has a DNS checker on it.

Oops.

[Chameleon+Man]

I tried to RTFA, but upon clicking the link I was directed to a porn site.

Easier Said Than Done

[foo+fighter]

These kind of systems are really hard for security guys to get changed.

It's like updating switch and routing firmware. Most network engineers who know what they're doing and that have been around for awhile have been burned by "simple" or "easy" patches and config changes going tits up.

When your core network infrastructure goes tits up your phone tends to light up like a christmas tree. (Granted, when your web presence is redirected to porn or a copy that hides an iframe exploiting customers with unpatched browsers, well, you'll maybe get some phone calls.)

This DNS patch is a case-in-point: Microsoft's fix is rather ham-fisted and broke stuff; the BIND-Users list is full of people troubleshooting ISC's patch.

Also, many organizations (like mine) are taking this as an opportunity to reengineer their DNS architecture. This is the perfect time to reevaluate using TSIG and DNSSEC if you don't already.

It has only been just over two weeks since the initial "announcement". The progress so far is really amazing when you consider how big a ship the Internet is.