July 31, 2008
(CBS) You may have heard about the security flaw that affects the entire Internet. It’s actually a problem with the software behind just about all domain name servers - DNS for short. A domain name server is a computer that acts like a phone book or switchboard operator that takes a web address - like cbs.com and translates it to an Internet Protocol (IP) address like 170.20.0.24. Since IP addresses are as hard to remember as phone numbers, none of us bother to use them. Instead we rely on the DNS servers to look them up for us.About The Internet DNS Flaw
Tech Analyst Larry Magid Explains Flaw That Allows Hackers To Redirect URLs
But on July 8, security researcher Dan Kaminsky found a flaw in the software used on most DNS servers that make it possible for a hacker to re-direct a DNS. If exploited, that flaw would allow a criminal to re-direct people to the wrong site. Imagine the scenario - you type the correct URL of your bank but instead of going to your real bank’s site you to a criminal’s site that looks just like it. You type in your user name and password and that information gets into the wrong hands. And don’t confuse this with phishing. A phishing attack tricks you into clicking on a link that takes you to a bogus site. If you were a victim of a DNS attack (sometimes called pharming) you could get to a bogus site even if you typed in the correct URL.
You can listen to my interview with Kaminsky on CBSNews.com
No need to panic
There is no need to panic or stop using the Internet. Kaminsky has been warning security professionals about this flaw for the last few weeks and most major Internet service providers have fixed their DNS servers to protect users. But not everyone has. There are thousands of DNS servers out there in companies and smaller ISPs that may not have been fixed. And, now that the word is out, there is a greater chance that hackers will attempt to exploit this flaw because more of them know about it.
You can find out if your connection is safe from this flaw by using a DNS checker. There are three that I know of. Kaminsky has one on his blog, there’s another at DNS-OARC and one at the lower left corner of DNSstuff. If your system passes these tests, you’re OK.
If you’re not OK contact your ISP or, if you’re at work, your system administrator. Or you can bypass your ISP’s domain name server and use a free alternative. Kaminsky recommends opendns.com which allows you to use their domain name server instead of the one provided by your ISP. You can to spend a few minutes configuring your computer or router to work with opendns’s name server but there are clear instructions on that site. Because my ISP (Comcast) passed the tests, I didn’t bother changing mine and you shouldn’t either if your system tests out OK.
The good news about this is that the problem is being fixed around the globe. Next week Kaminsky heads to Las Vegas for a security conference where he plans to lay out more details to help experts fix their own servers and prevent these attacks in the future.
©MMVIII, CBS Broadcasting Inc. All Rights Reserved.
More From PC Answer
Best-selling author Mitch Albom on his first nonfiction work since "Tuesdays with Morrie."
http://www.dnsstuff.com/
Th
is is just a "hook" or SCAM site to get you to pay them $79 for a "complete check". What the "free" test ALWAYS tells you is that there is a DNS problem with the domain. I tested my domain, comcast.net, att.com, att.net, yahoo.com and EVIDENTLY ALL OF THESE DOMAINS HAVE 4 or MORE "CRITICAL PROBLEMS" that "URGENTLY NEED TO BE FIXED" if you will only "PAY $79". What a joke.
What''''s really funny? The other two free checks said my domain was OK. This site is a SCAM.
https://www.dns-oarc.net/
and
nhttp://www.doxpara.com/
These sites only test the DNS associated with your computer. Only useful if you are working from an address associated with the domain you want to test.
You just should NOT pay any attention to Maggid. Too many of his articles are incomplete or simply contain bad information.
This enhanced tool was designed to check for DNS cache poisoning susceptibility. This version forces your client to do 32 recursive lookups by giving it 32 different zones (subdomains) to look up, rather than two via CNAME only. With a larger sample size we can perform some statistical analysis on the values and detect a wider range of problems.
It will detect if the server is not changing its source port, query id, or both, between queries. This means it is easier than average for an attacker to spoof responses to DNS queries from this server, causing the server to serve a potentially malicious DNS record in response to any query.
Please note that this is different from the "Domain Health Check" on our home page which runs diagnostic tests based on our DNSreport technology. It does indicate if you have critical errors. You can then simply go on a FREE trial to view entire report. If you find value with our tools/alerts you can join. If not, simple cancel your trial.
DNSstuff has millions of users around the globe who rely on our tools to quickly troubleshoot and solve domain and email problems.
Best of luck and be sure to patch your servers!
Kristina O''Connell, VP Marketing, DNSstuff
This enhanced tool was designed to check for DNS cache poisoning susceptibility. This version forces your client to do 32 recursive lookups by giving it 32 different zones (subdomains) to look up, rather than two via CNAME only. With a larger sample size we can perform some statistical analysis on the values and detect a wider range of problems.
It will detect if the server is not changing its source port, query id, or both, between queries. This means it is easier than average for an attacker to spoof responses to DNS queries from this server, causing the server to serve a potentially malicious DNS record in response to any query.
Please note that this is different from the "Domain Health Check" on our home page which runs diagnostic tests based on our DNSreport technology. It does indicate if you have critical errors. You can then simply go on a FREE trial to view entire report. If you find value with our tools/alerts you can join. If not, simple cancel your trial.
DNSstuff has millions of users around the globe who rely on our tools to quickly troubleshoot and solve domain and email problems.
Best of luck and be sure to patch your servers!
Kristina O''Connell, VP Marketing, DNSstuff
This enhanced tool was designed to check for DNS cache poisoning susceptibility. This version forces your client to do 32 recursive lookups by giving it 32 different zones (subdomains) to look up, rather than two via CNAME only. With a larger sample size we can perform some statistical analysis on the values and detect a wider range of problems.
It will detect if the server is not changing its source port, query id, or both, between queries. This means it is easier than average for an attacker to spoof responses to DNS queries from this server, causing the server to serve a potentially malicious DNS record in response to any query.
Please note that this is different from the "Domain Health Check" on our home page which runs diagnostic tests based on our DNSreport technology. It does indicate if you have critical errors. You can then simply go on a FREE trial to view entire report. If you find value with our tools/alerts you can join. If not, simple cancel your trial.
DNSstuff has millions of users around the globe who rely on our tools to quickly troubleshoot and solve domain and email problems.
Best of luck and be sure to patch your servers!
Kristina O''Connell, VP Marketing, DNSstuff
This enhanced tool was designed to check for DNS cache poisoning susceptibility. This version forces your client to do 32 recursive lookups by giving it 32 different zones (subdomains) to look up, rather than two via CNAME only. With a larger sample size we can perform some statistical analysis on the values and detect a wider range of problems.
It will detect if the server is not changing its source port, query id, or both, between queries. This means it is easier than average for an attacker to spoof responses to DNS queries from this server, causing the server to serve a potentially malicious DNS record in response to any query.
Please note that this is different from the "Domain Health Check" on our home page which runs diagnostic tests based on our DNSreport technology. It does indicate if you have critical errors. You can then simply go on a FREE trial to view entire report. If you find value with our tools/alerts you can join. If not, simple cancel your trial.
DNSstuff has millions of users around the globe who rely on our tools to quickly troubleshoot and solve domain and email problems.
Best of luck and be sure to patch your servers!
Kristina O''Connell, VP Marketing, DNSstuff
Following quoted:
This is not new. It''''s very easy to make a web page exactly like the real one, so real you will not know the difference. To shadow the dns Addy is a little more difficult. The real fix? Every time you sign into a bank site or CC site, type the wrong password first. If it rejects you, you know you are on the real site. On the other hand, if it allows you entry to another series of questions, shut it off and run like crazy.
I don''t get it......
http://www.dnsstuff.com/
This is just a "hook" or SCAM site to get you to pay them $79 for a "complete check". What the "free" test ALWAYS tells you is that there is a DNS problem with the domain. I tested my domain, comcast.net, att.com, att.net, yahoo.com and EVIDENTLY ALL OF THESE DOMAINS HAVE 4 or MORE "CRITICAL PROBLEMS" that "URGENTLY NEED TO BE FIXED" if you will only "PAY $79". What a joke.
What''s really funny? The other two free checks said my domain was OK. This site is a SCAM.
https://www.dns-oarc.net/
and
http://www.doxpara.com/
These sites only test the DNS associated with your computer. Only useful if you are working from an address associated with the domain you want to test.
You just should NOT pay any attention to Maggid. Too many of his articles are incomplete or simply contain bad information.
- by fredcs25 July 31, 2008 9:53 PM EDT
- More internet users need to know about these test.
- Reply to this comment
See all 11 Comments