July 2008

VERY IMPORTANT NOTICE: DNS Vulnerability

The following is a very important announcement regarding a DNS vulnerability.

Multiple DNS implementations are vulnerable to cache poisoning. Please read the following carefully.

What is the impact:

An attacker with the ability to conduct a successful cache poisoning attack can cause a nameserver's clients to contact the incorrect, and possibly malicious, hosts for particular services. Consequently, web traffic, email, and other important network data can be redirected to systems under the attacker's control.

How to fix this vulnerability:

Patches have been released by a number of vendors to implement source port randomization in the nameserver. This change significantly reduces the practicality of cache poisoning attacks. Please read the US-CERT (United States Computer Emergency Response Team) advisory for further information on how to patch (fix) your nameserver.

Early this year, researcher Dan Kaminsky discovered a flaw in the DNS that could allow attackers easily to compromise any name server; it also affects clients. Kaminsky has been working in secret with a large group of vendors on a coordinated patch. The vendors include Internet Systems Consortium, Inc. (ISC) who are the developers of BIND, Microsoft and other nameserver software vendors.

The following is a mp3 interview with Dan Kaminsky. It conveys the importance of patching this vulnerability.

To check whether your nameserver is vulnerable, please go to DoxPara Research (Dan Kaminsky's website). There is a DNS Checker tool in the upper-right hand corner.

--ENDS--