What you need to know about the latest DNS flaw

Michael Horowitz

Michael Horowitz wrote his first computer program in 1973 and has been a computer nerd ever since. He spent more than 20 years working in an IBM mainframe (MVS) environment. He has worked in the research and development group of a large Wall Street financial company, and has been a technical writer for a mainframe software company.

He teaches a large range of self-developed classes, the underlying theme being Defensive Computing. Michael is an independent computer consultant, working with small businesses and the self-employed. He can be heard weekly on The Personal Computer Show on WBAI.

Disclosure.

See full bio

Michael Horowitz

July 30, 2008 1:18 p.m. PT

3 min read

If you've been hearing or reading about the latest DNS (Domain Name System) flaw, you may be confused about how to defend yourself. Think of this as a cheatsheet, it's what you need to know in the fewest words possible.

The flaw is mostly with software on a server computer run by your Internet Service Provider (ISP).* Some ISPs have patched the vulnerable DNS software on their computers, some have not. A recent list is available here. That said, Windows users also need to be sure they are up to date on patches as Microsoft released a recent DNS patch for Windows XP, 2000 and Server 2003. Windows Vista does not need to be patched.

DNS server computers translate the name of Internet-resident computers into numbers. Every computer that is reachable over the Internet is assigned a unique number (it's a bit more complicated, but this is essentially true). What is, to you, www.cnet.com, is to the computers on the Internet 216.239.113.101.

This number is called an IP address and yes, those are periods rather than commas. You can see this for yourself, by entering an IP address directly into the address bar of your web browser. For example, CBS owns CNET. You can see what's on CBS tonight at both

www.cbs.com/info/schedule/index.php
and
198.99.118.37/info/schedule/index.php

The danger with the current DNS flaw is similar to someone modifying a phone book. Suppose you wanted call the Post Office to tell them to stop your mail for a few weeks while you won't be home. You look up the Post Office phone number in a hacked phone book and instead of calling the actual Post Office you end up calling bad guys and telling them when they can safely come and rob you.

Everything you do online depends on translating the name of a website (or email server or any other computer) into an IP address. The recently discovered DNS flaw, lets the bad guys control this translation. Thus, they can steer people to fake websites. Input sensitive information or passwords at a fake website and you can kiss your identity goodbye.

What to do?

My preferred defense is to use OpenDNS. I wrote about this back in December:

Basically, it means re-configuring your computer to use DNS translation services from OpenDNS rather than from your ISP. Think core competence. And, it's free.

There is also a very simple online test of whether the DNS servers you are currently using are vulnerable to this bug at www.doxpara.com. Click on the "Check My DNS" button.

Another test is available at www.dns-oarc.net/oarc/services/dnsentropy, click on "Test My DNS". If all is well, it will report "GREAT" for both the source port randomness and the transaction ID randomness.

Update July 26, 2008: See A cheatsheet for defending against the DNS flaw

Update July 29, 2008: See The best test for vulnerability to the DNS flaw

Update July 30, 2008: According to You experience issues with UDP-dependent network services after you install DNS Server service security update 953230 (MS08-037) the Microsoft patch for Windows XP and the server versions of Windows is buggy. ComputerWorld reports that Microsoft has no plans to fix the problem caused by their DNS patch.

* If you work for a large organization, they may run their own DNS server computers.
See a summary of all my Defensive Computing postings.