Guys and girls, get your nameservers secured ASAP.
The DNS vulnerability everyone was talking about leaked on the internet, and I’m sure someone somewhere is already writing up code to take advantage of it…
Full story here.
Paul Vixie, the CEO of ISC (developers of bind/named), developer of CRON, who writes every so often on his circleid.com account made a short FAQ about the vulnerability:
Reactions have been mixed, but overall, negative. As the coordinator of the combined vendor response, I’ve heard plenty of complaints, and I’ve watched as Dan Kaminsky has been called an idiot for how he managed the disclosure. Let me try to respond a little here, without verging into taking any of this personally.
Q: “This is the same attack as <X> described way back in <Y>.”
A: No, it’s not.
Q: “You’re just fear-mongering, we already knew DNS was terribly insecure.”
A: Everything we thought we knew was wrong.
Q: “I think Dan’s new attack is <Z>.”
A: If you guess right, you can control the schedule, is that what you want?
Q: “I think Dan should have just come right out and described the attack.”
A: Do you mind if we patch the important parts of the infrastructure first?
Q: “Why wasn’t I brought into the loop?”
A: Management of trusted communications is hard. No offense was intended.
Full article here.
And you can check your ISP’s nameservers from this page: https://www.dns-oarc.net/oarc/services/dnsentropy You need to look at that test for port randomization, and you need to be above average to be safe. Beware that refreshing the test page will not show up *new* results, even if you make changes to your nameservers, so you need to go back to the prior link, and click on “Test my DNS” again.