Commerce - 8:05 pm on Feb 13, 2008 (gmt 0)

joestern,

Is there any chance that OpenDNS isn't something I should be using? I'm on a Mac, so I doubt malicious code could change my settings, but I do have a non-standard DNS since I'm not using that of my upstream ISP (which, itself, could be compromised, I guess).

Couple of things here. First, part of what the researchers seem to be talking about is that setting the registry entry on a Windows client machine handling where that client machine should get its DNS resolver information is easy.

Second, Mac clients must also know where to go to find a resolver in order to resolve (translate) DNS names to IP addresses and thus have a configuration setting to do so. Should a hacker want to write code to do the same thing on a Mac (or Linux box), I suspect that would be fairly easy to do too.

Finally, though I don't use OpenDNS because we run our own private resolvers, my guess is if it is a trusted resolver service, the odds are great that using it is just fine.

However, I would also add that your ISP should have a resolver for you to use and arguably that resolver is your best bet unless there is some overwhelming and overriding reason to use another. I have serious reservations about using third party "open resolvers" because it is another point of failure which you have no control over. Were my company not running its own resolvers, I would certainly use my upline ISP's resolvers over any "open resolver" network for one really big reason - accountability.

Keep in mind, it is not the DNS resolver service you are using that is most likely being corrupted, it is the client machine you are on that this article is speaks about which is the biggest threat. So, while it is conceivable that DNS software itself can be compromised (it has happened before), it is something the folks who produce that kind of software tend to be very aware of and even more careful to work hard to avoid. The article even goes on to say "The researchers estimate that there are 17 million open-recursive DNS servers on the internet, the vast majority of which give accurate information.".

In the case of the 68,000 or so "problem" open resolvers, these are malicious machines where an attack on your client's DNS configuration could send you.

Now then, what does one do about such things? First, don't be brain dead and click on every link seen in email messages. Next, use some antivirus software on clients [even Mac clients] (you will sleep a bit better, although keep in mind there is a concept of a "0 day virus" where the antivirus folks may not have caught up with an appropriate definition to identify the problem virus for a day or so, going back to point one, don't be brain dead).

You also might want to periodically check to see if the DNS settings on your machine are pointing toward the expected IP addresses for your upstream DNS resolving servers. If not, that is a pretty big clue that something is up.

While the article seemed to focus on Windows clients (which I think is more than a bit unfair), the major points about DNS seem valid (if not phrased a bit oddly - a virus by any other name...).

FWIW, from an OS perspective, mitigating the problem for any given OS could be as simple as comparing a salted hash value kept "elsewhere" (yes, that's it, elsewhere) against the live value to see if it has been corrupted prior to reaching out to a DNS server. Finding a salted hash in memory would be a quite bit more tricky for an attacker, but even that could be defeated if an attacker is committed to the attack - still it would take a lot of time, allowing an antivirus update time to arrive and discover the problem invader. I think that the attacker would have to be pretty lucky (and have to have way too much time on their hands) to successfully accomplish such an attack on a properly protected client. But I digress...

-Commerce