Don’t be a Victim of DNS Security Holes
The details of the new DNS attack discovered by Dan Kaminsky were recently leaked. If exploited, the Kaminsky DNS vulnerability could lead to serious attacks. Gary at LinuxHarbor.net comments:
Behind all the security technobabble, what this means for you is that if your ISP hasn’t applied the appropriate fixes to the DNS servers they set for you when you go online, then should you type www.paypal.com or www.citibank.com into the address-bar of your browser, you might very well actually end up on a spoof site that looks exactly like the real thing, but which collects your username and password before forwarding your connection to the real site. That’s a serious problem in anyone’s book!
You can check whether the servers you’re calling have been fixed by clicking the Check My DNS button on Dan Kaminsky’s Site. If they come up short, you really should switch to an alternative DNS service. In many respects, using a free provider that specializes in DNS is more likely to also keep you safe from any future security problems than relying on your ISP — who has plenty of other things to maintain in addition to your DNS servers.
OpenDNS provides just such a service at no cost, and even though my ISP passes the Kaminsky test, I’ve already switched my whole network over to the OpenDNS servers by following these straight forward instructions, which boil down to changing all /etc/resolv.conf nameserver lines to:
nameserver 208.67.222.222
nameserver 208.67.220.220And then flushing any cached addresses on all computers you use for browsing. On Ubuntu, type the following into a terminal:
sudo /etc/init.d/networking restartAnd the equivalent for Mac OS X:
sudo lookupd -flushcacheAnd Windows Vista:
ipconfig /flushdns
Check your DNS Servers now - [DoxPara]
Originally posted on Mon Aug 4, 2008
Comments