Massive, coordinated DNS patch released

A security researcher has responsibly disclosed a fundamental flaw within the Domain Name System (DNS), the addressing scheme behind the common names used on the Internet. Currently, it may be possible to guess these transaction ID values in advance and assert a malicious server as the authoritative DNS server for a popular bank or e-commerce site. The news was announced Tuesday.

Dan Kaminsky, director of penetration testing services for IO Active, found the DNS flaw earlier this year. Rather than sell the vulnerability, as some researchers have done, Kaminsky decided instead to gather the affected parties and discuss it with them first. Without disclosing any technical details, he said, "the severity is shown by the number of people who've gotten onboard with this patch."

He declined to name the flaw as that would give away details.

On March 31, Kaminsky said 16 researchers gathered at Microsoft to see whether they understood what was going on, as well as what would be a fix to affect the greatest number of people worldwide, and when they would issue this fix.

Toward addressing the flaw, Kaminsky said the researchers all decided to conduct a synchronized, multivendor release. As part of that, Microsoft in its July Patch Tuesday released MS08-037. Cisco Systems, Sun Microsystems, and BIND are also expected to roll out patches later on Tuesday.

The coordinated release covers a wide variety of vendors. Art Manion of US-CERT (United States Computer Emergency Readiness Team) said vendors with DNS servers have been contacted, and there's a longer list of additional vendors that have DNS clients. That list includes AT&T, Akamai, Juniper Networks, Netgear, Nortel, and ZyXEL. Not all of the DNS client vendors have announced patches or updates. Manion also confirmed that other nations with CERTs have also been informed of this vulnerability.

Dan Kaminsky has provided a free DNS checker on his Web site.

(Credit: Doxpara.com)

Most systems will be patched automatically. However, those that are not will have 30 days to be patched manually before additional details are made public.

This issue also affects Internet service providers used by home users. In the coming days, ISPs are expected to apply the patch to their systems. Hardware routers used by home users should not be affected.

Kaminsky said he will release details in time for Black Hat 2008, on August 7 and 8 in Las Vegas. However, Microsoft in its security bulletin said its patch uses strongly random DNS transaction IDs, random sockets for UDP (User Datagram Protocol) queries, and updates the logic used to manage the DNS cache."

Kaminsky did confirm that the patches released today will increase DNS randomness: "Where we had 16-bit before, we now have 32 bits."

To check to see if your system is vulnerable, Kaminsky has provided a DNS checker.

[gagahput3ra]

why does it show "Error establishing a database connection" on the DNS Checker webpage? If the website got attacked in an attempt to protect "the greatest number of people worldwide", this will be the biggest joke of internet security this year.

[pencoyd]

OpenDNS was never vulnerable, so you might want to try their free service. http://www.opendns.com/

[Spiderrman]

Don't know about Vista, but on XP ZoneAlarm ceases to function unless it is turned off or the firewall setting for Internet is set to Medium from High.

[dragonstar125]

that ture spider but its due to the microsoft update to fix the dns server patch grrrrrr so do set zone alarm to meduim i have sent email to zone alarm about this hope they fix asap :(

[portiadacosta]

Ah, could this be why I couldn't connect to the internet this morning after installing the latest security patch, on my WinXP SP3 system? I use Zone Alarm too.

I uninstalled the security patches for the time being.

I also use Open DNS, would that have any bearing on the problem?

[dragonstar125]

reinstall the patches but before do so set internet setting in zone alarm to mediuim and your still safe :) it works for me as said above :)

[bt_]

"Where we had 16-bit before, we now have 32 bits." ? said Dan Kaminsky welcoming the DNS patches coming out as if we are safe now.

Wrong! We still have the fundamental flaw ? we are still using something (DNS as we use WEP, VLAN, etc) that has not been designed for (security).

New ?finding? did not change the quality to the better ? it just changed the quantity of the feature. It means that when our computing recourses become faster we would be able to ?break? the randomness of 32 bits as easy as we can do it today for 16. Then what?

Poor work, too much fuzz...

We have to focus efforts on the DNS re-architecture and re-design - from scratch and having security requirements put forth for the new development.

/bt_