Buy from the highest-rated provider   Buy SSL.com Certificate x

Don’t be a Victim of DNS Security Holes

The details of the new DNS attack discovered by Dan Kaminsky  were recently leaked. If exploited, the Kaminsky DNS vulnerability could lead to serious attacks. Gary at LinuxHarbor.net comments:

Behind all the security technobabble, what this means for you is that if your ISP hasn’t applied the appropriate fixes to the DNS servers they set for you when you go online, then should you type www.paypal.com or www.citibank.com into the address-bar of your browser, you might very well actually end up on a spoof site that looks exactly like the real thing, but which collects your username and password before forwarding your connection to the real site. That’s a serious problem in anyone’s book!

You can check whether the servers you’re calling have been fixed by clicking the Check My DNS button on Dan Kaminsky’s Site. If they come up short, you really should switch to an alternative DNS service. In many respects, using a free provider that specializes in DNS is more likely to also keep you safe from any future security problems than relying on your ISP — who has plenty of other things to maintain in addition to your DNS servers.

OpenDNS provides just such a service at no cost, and even though my ISP passes the Kaminsky test, I’ve already switched my whole network over to the OpenDNS servers by following these straight forward instructions, which boil down to changing all /etc/resolv.conf nameserver lines to:

nameserver 208.67.222.222
nameserver 208.67.220.220

And then flushing any cached addresses on all computers you use for browsing. On Ubuntu, type the following into a terminal:

sudo /etc/init.d/networking restart

And the equivalent for Mac OS X:

sudo lookupd -flushcache

And Windows Vista:

ipconfig /flushdns

Check your DNS Servers now - [DoxPara]

Originally posted on Mon Aug 4, 2008

Comments


Duane(2014-12-13)

This bug only really effected bind, and bind has a very long and very notorious history of bugs some as bad or worst then this one.

So the real message here is migrate to a bind alternative, djbdns had already anticipated this bug about 10 years ago.

Both MaraDNS and PowerDNS recursor were also not effected, also some poeple commenting about their switch from bind to PowerDNS they went from 120 servers to only needing 30.

http://ops.ietf.org/lists/n...

Avoid OpenDNS(2014-12-13)

It's a myth that OpenDNS provides a solid DNS service. In fact, they spy at you and track your Internet activity; and sell the data collected. Also, if you use remote desktop sevice to connect to a remote server, you'll get disconnected frequently because of the OpenDNS redirect/relay system. So, you better use your ISP, a real DNS service such as the one provided by Level3, or you set up your own DNS server.

Advertisement • Hide