There’s a really ugly DNS security issue that’s affected pretty much everybody, you need to make sure you’ve patched everything you can. While nobody really knows what the problem is, considering that the domain name system is the Internet’s backbone and if it gets broken, it’s a bad thing.
Thankfully, OpenDNS isn’t susceptible to the attack, so you can use them safely (and encourage your ISPs to patch their DNS servers, too, or at least forward all DNS requests to somebody like OpenDNS until they can patch their BIND implementation). I’ve used OpenDNS for quite a while and have set it up at the office, and it’s worked great.
Comments
dig @216.228.160.29 +short porttest.dns-oarc.net TXT
dig @216.228.160.30 +short porttest.dns-oarc.net TXT
Bend Cable is still vulnerable… The Frank and Bob team are falling behind. It’s time for them to buy new $600,000 DNS servers from Sun and hire consultants for 6 weeks to make them work. I suspect Bend Cable customers will have secure, non-poisoned DNS some time in the winter.
That tool also says that my DNS servers — which have the latest BIND patches — are vulnerable (at least it did a few days ago when I tried it). I’ll have to look in to it a bit more to see what’s going on.
Source port and transaction ID randomness is a stopgap.
Hoping for DNSSEC. Review RFC 3833 for entertainment :}.
Jake, the test here appears to do the right thing …
https://www.dns-oarc.net/
If the web or dns based tool shows you are clearly vulnerable, then you are. It’s accurate. By the way, I’m hoping for a number of arcane standards to become widely used on the internet. But guess what, nobody cares what I want. And nobody cares about DNSSEC or we would have started using it years and years ago. There are much simpler ways to avoid this vulnerability, the stop-gap provided by port randomization won’t work when we all have gigabit internet links but there are better randomization techniques, such as adding a large random string to the query. But that requires coordination and thus won’t actually happen. (Not nearly as much coordination as DNSSEC, though.)