DNS has a hole in it. Bad guys are working on exploits right now. Patches are available right now. Anyone responsible for a DNS server needs to exercise that responsibility. Right now.
Dan Kaminsky found a security hole in DNS recently, the details of which he was keeping quiet so providers could fix and release patches and DNS server owners could get those patches deployed, in order to avoid security breaches on the Internet. His intent was to release the gory details in a couple weeks at the Black Hat conference.
But the other day word of the details inadvertently leaked out, and so now everyone responsible for a DNS system must — and I do mean must — drop what they’re doing and make sure their systems are patched and safe. Failure to do so puts Internet users at risk of site fraud and hijacking.
DNS is a system that translates names you can remember (like www.greghughes.net) to especially non-memorable numerical addresses the Internet can route (such as 126.96.36.199). It’s the Internet’s phone book, so to speak.
The security hole allows malicious people to spoof a Web site using the actual, legitimate domain name. In other words, bad guys could hijack a DNS server, and if it happens to be one your computer relies upon, you could type in a legitimate address like www.google.com or www.yourbank.com, but the Web page would be a malicious one — a fake. The recently-released patches plug the hole and prevent this misuse (although it doesn’t really change the underlying protocol).
Aaron Massey wrote a very good post describing the issue and its various details. He also links to Halvar Flake, a talented reverse-engineering guy who thought the threat through and pretty much guessed it right on his blog. After Halvar’s guess, another security blog that had specific knowledge of the threat details confirmed Flake’s hypothesis. As a result, the threat was disclosed.
Luckily, the various creators of the DNS systems used all over the Internet released patches about two weeks ago. The real question is, have you patched your servers? This is a critical flaw — it needs to be patched immediately.
If you want to know whether the DNS server your computer relies upon is vulnerable or not, you can use the DNS Checker in the sidebar of Kaminsky’s blog (as long as it remains there).