You may have heard about the security flaw that affects the entire Internet. It’s actually a problem with the software behind just about all domain name servers - DNS for short. A domain name server is a computer that acts like a phone book or switchboard operator that takes a web address - like cbs.com and translates it to an Internet Protocol (IP) address like 170.20.0.24. Since IP addresses are as hard to remember as phone numbers, none of us bother to use them. Instead we rely on the DNS servers to look them up for us.

But on July 8, security researcher Dan Kaminsky found a flaw in the software used on most DNS servers that make it possible for a hacker to re-direct a DNS. If exploited, that flaw would allow a criminal to re-direct people to the wrong site. Imagine the scenario - you type the correct URL of your bank but instead of going to your real bank’s site you to a criminal’s site that looks just like it. You type in your user name and password and that information gets into the wrong hands. And don’t confuse this with phishing. A phishing attack tricks you into clicking on a link that takes you to a bogus site. If you were a victim of a DNS attack (sometimes called pharming) you could get to a bogus site even if you typed in the correct URL.

Internet Security Flaw (http://www.cbsnews.com/stories/2008/07/31/scitech/pcanswer/main4311532.shtml)

But is there a fix for this ? I run my own DNS. Do I need to keep a separate DNS cache on a separate piece of hardware isolated from everything else ? Or is there a more practical fix.

The only published "fix" that I can find online is a page telling me to use OpenDNS servers instead.

Yes there's a fix. It's been patched a long time.

Just update using your updater - up2date, yum (RedHat and clones) or aptitude (ubuntu/debian)

Yes there's a fix. It's been patched a long time.

Just update using your updater - up2date, yum (RedHat and clones) or aptitude (ubuntu/debian)


Thanks. It's even possble that I may have already updated it. I'll check to make sure it's been done.

For most folks, it's the danger of a DNS compromise on their ISP or employers network, unless you run a DNS server... So, it's good to check things out... For instance, while my Comcast supplied DNS is currently safe, my AT&T Tilt phone on the "Edge Network" is a bit suspicious.

Here's a great test link (incl. syntax for porttest Linux fans):

https://www.dns-oarc.net/oarc/services/dnsentropy

Dan Kaminsky is the guy that brought it to light, and he has a blogsite. His DNS tester seems to be down.
Dan Kaminsky - Doxpara Research (http://www.doxpara.com/?p=1176)

Man has the biggest White Hat in the world right now, thanks Dan!

Most ISPs are keeping up. I worry about folks in small businesses that did not catch it in time, like the infamous Windows 2K Server "worms".