By now, everyone on the Internet is aware of the fundamental flaw in DNS that all major vendors released security patches for this week. Dan Kaminsky, the security researcher who discovered the cache poisoning bug, has developed a test for this flaw that you can find at his web site.
Many people have downplayed this flaw, saying it’s not as serious as some speculate, since only recursive DNS servers are at risk. Maybe that’s true, but who uses these DNS servers? All DNS clients, from workstations to servers to routers. And if the DNS servers have their caches poisoned, they can redirect these unsuspecting clients to potentially malicious web sites.
Dan, who is an expert in all things DNS, has this advice for network administrators:
“If it recurses, patch it. I don’t care if it’s firewalled. Patch it, or kill it.”
Dan has purposely not released details on the DNS vulnerability so that users will hopefully have time to patch their systems prior to exploits being developed. Dan is scheduled to reveal all the details at Blackhat on August 7th, so stay tuned. For more details, see the CERT vulnerability notes for VU#800113. Dan was also interviewed by Rich at the Network Security Podcast, where he goes into more detail on the issues.
Also note that the ISC has put out a temporary patch for BIND 8, but because of legacy issues, they are suggesting BIND 8 be retired. The ISC has some nice documentation on the BIND 8 to BIND 9 migration process.