So what happened? Matasano had an article ready with some more details on the DNS vulnerability for after Blackhat and posted it in error. They removed it as soon as they noticed it.
But it seems, the cat is out of the bag. I won't post the details here out of respect for Dan and Thomas. But I'm sure within a day, it will be all over the place. Matasano has released a public apology:
Earlier today, a security researcher posted their hypothesis regarding Dan Kaminsky’s DNS finding. Shortly afterwards, when the story began getting traction, a post appeared on our blog about that hypothesis. It was posted in error. We regret that it ran. We removed it from the blog as soon as we saw it. Unfortunately, it takes only seconds for Internet publications to spread.
We dropped the ball here.
..
Dan did phenomenal work on this research. It was impossible to talk to him today and not know that he was sincere about coordinating a graceful disclosure and fix for the problem. That I helped detract from that work is painful both personally and professionally, and I apologize to Dan for the way this played out.
Thomas Ptacek
Principal, Matasano Security
And after the Matasano removal, this warning was posted on Dan's website www.doxpara.com:
Patch. Today. Now. Yes, stay late. Yes, forward to OpenDNS if you have to. (They’re ready for your traffic.) Thank you to the many of you who already have.So for those DNS/System administrators who didn't patch, NOW would be the time. You can test your ISP with the script on Dan's website or should it get Slashdotted again, you can used this trick: “dig +short porttest.dns-oarc.net TXT”
This one is patched:
$ dig +short porttest.dns-oarc.net TXT
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"88.191.254.6 is GOOD: 26 queries in 3.9 seconds from 26 ports with std dev 19554.27"
This one is not yet patched:
$ dig +short porttest.dns-oarc.net TXT
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"212.35.96.66 is POOR: 35 queries in 4.3 seconds from 1 ports with std dev 0.00"
(Source: /dev/random)
Note that you can tell dig to test a specific resolver with an @-argument:
$ dig @4.2.2.3 +short porttest.dns-oarc.net TXTThis is a special DNS name and server from the people at OARC so that you can query to check whether or not your resolver is using random ports. Notice "dev" that probably stands for deviation. So 0.0 deviation is bad, indicating no or poor random ports. Dig is a unix/linux command. If you are not running linux, you could just use a linux livecd. Or here is a windows binary of the dig command.
Switch (temporarily) over to OpenDNS if your provider didn't patch. And I know of several who didn't.
UPDATE: Slashdot has picked up on it.
UPDATE2: Added some explanation on the "dig" command.
Previous posts:
- Dan Kaminsky Blackhat Webcast on the DNS vulnerability on the 24th of July (updated)
- More on the DNS vulnerability
- Warning: details multi vendor DNS cache poisening flaws released (updated)
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
3 comments:
Could you please add some info WHY that one is patched and the other is not? Is it the "GOOD" vs "POOR"? Or the ports or the std dev or what? Thanks :)
What if I don't get any results back when I issue that command using both the DNS name and IP address of my name server? I believe they are patched, but just want to make sure.
That's strange. Is nslookup working at that time?
If the dig command doesn't work, just point you browser at www.doxpara.com and click on the "test my dns server" button. It's a javascript.
Post a Comment