DNS Dot Bomb: Update Your Nameservers
Do you run domain name service (DNS) nameservers in your company? Not sure? Go check. Now. Really. I mean it. DNS is the glue that binds the Internet, connecting human-readable names like www.pcworld.com to machine-assigned Internet Protocol (IP) numbers, like 184.108.40.206.
Security researcher Dan Kaminsky discovered an ancient flaw in how DNS works, one that could affect any DNS server in operation, and with help from others - significantly original DNS designer Paul Vixie of Internet Systems Consortium (ISC) - pulled together a secret meeting at Microsoft earlier this year that involved all major operating system and DNS server developers. Simultaneous work was performed to release patches all at the same time for every system, which happened just a few days ago.
Kaminsky was scheduled to release the details a month after patches shipped, but another set of researchers at Matasano Chargen let go a few days with a post that confirmed the speculation by a programmer on his blog, and then the firm explained the flaw and how it's exploited. The Matasano post was pulled - the company says it was an accident that it went live - but the cat was out of the bag.
In brief, the flaw relates to how DNS requests are made to servers and fulfilled. The weak point in DNS is that when a computer asks for the translation of a name into a number, malicious parties can try to "poison" the response, by feeding out inaccurate information. The current DNS system uses some random components to made it hard to poison, but Kaminsky discovered that due to an overlooked hole, a peristent malicious party could ultimately succeed.
With poisoned DNS, you could think you were visiting a given site that you trust, and yet be directed to a look-alike site packed with every form of malware that tries to auto-install or prompts you to accept ActiveX-based horrors that would take over your computer.
This DNS flaw won't subvert DNS servers into providing you wrong information; rather, it's a risk that computers on your own network will be subverted into checking with the wrong DNS server to receive information. If you use a server inside your network that handles DNS queries--if the server's IP address is used in network setup for any computer or DHCP automatically assigns the server's IP address--you need to find out what patches are available.
I run my own Unix servers, and immediately on hearing of this flaw, patched my ISC BIND server to the latest release (9.5.0-P1). Visit the CERT page on the vulnerability to find what steps you need to take to ensure your users aren't vulnerable. Some companies slipstreamed the updates into releases earlier this year without any fanfare; others made software available in early July.