Is Your DNS Patched?


In case you have been living under a rock for the past month you have most likely heard about the DNS cache exploit recently discovered by Dan Kaminsky.  This might be one of the most severe flaws discovered as it was cross platform affecting everything from Windows to Linux, UNIX, Cisco IOS etc....  It was so big in fact that all the major vendors worked together to get the patch issued on the same day.  The flaw would allow an attacker to insert a malicious DNS record into the cache.  As an end user you type in www.technet.com and rather than get the proper IP address the cache delivers the malicious IP address sending you to ????  You can find out more on the details of the flaw at Dan's blog.


You should also make sure that you are patched.  Make sure that your upstream ISP DNS servers are patched by calling them or using Dan's DNS Checker at the top of his website.


So why all of a sudden a rush to ensure you are patched?  Well the patches issued by the vendors have been reverse engineered and exploit code has been published!  Dan has said many times that this is an extremely easy to launch exploit that could be implemented in seconds.


MS08-037 - Vulnerabilities in DNS Could Allow Spoofing (953230)


KB953230 - Vulnerabilities in DNS could allow spoofing


Go. Read. Patch. Now.


And when you are done, copy and paste this blog post to your blog, email it to your IT Pro buddies, get the word out!


If you have links to the patches from other vendors, please leave a comment with the URL!

Comments (6)

  1. Rodney Buike says:

    Some additional information has been posted by Microsoft today in regards to this.

    http://www.microsoft.com/technet/security/advisory/956187.mspx

  2. Sean Kearney says:

    Rodney.  

    Going to get hot on it.  Does this also apply to internal DNS servers that are merely caching queries and are firewalled off from the internet?  (IE: Small business sites, we don’t use Live DNS, but the ISP is our Live DNS for hosting, so yeah THEY better be patched!)

  3. Rodney Buike says:

    If you find your upstream DNS servers are not patched you can point your DNS forwarders to the OpenDNS servers.

    http://www.opendns.com/

  4. Rodney Buike says:

    Hey Sean,

    It applies to all DNS servers.  Even if your internal DNS servers are patched, you still need to ensure that your upstream DNS servers are patched.  You can use Dan’s tool to determine that they are, or point to OpenDNS for the time being.

  5. Mitch says:

    Rodney, you said "you can use Dan’s tool to determine" if your upstream DNS servers are patched. Where can I find this tool?

  6. Rodney Buike says:

    Hi Mitch,

    Top right corner of Dan’s page, http://www.doxpara.com

Skip to main content