Great close to the article and something I've been using with others...
|We have been trained since we were young to lock the door to our house, our car. We take these sensible security measures in the environment we are functioning in. "Yet when it comes to computer safety we forget to look both ways before crossing the internet highway." |
It concerns me when I see major hitters like this (Verisign) bickering over whether or not it is a "doom or gloom" scenario. Tell that the person that falls prey to an attack. Surely doom and gloom for them.
Apparently VeriSign isn't at risk...
|But the DNS threat was played down by net giant VeriSign which issues many of the security certificates used in SSL. It told BBC News its system was "not vulnerable". |
Time to go buy a $1,500 SSL...
I'm really surprised that neither of these two topics on the DNS Flaws have gotten any traction. I think people are just oblivious to the facts. They don't care. It's their host's problem, not theirs. I understand that. Some people "may" want to change hosts. :)
engine, is this topic viewable to everyone? Is it on a "for your eyes only" list or something? Or is this one of those "information only" type topics?
I guess were all waiting for the "BIG BANG"? Not me...
Same thing happened with the previous thread referenced. Do I really stop threads in their tracks like that? I was the last to reply in both of these. Okay, I'll stay away. :(
DNS Flaw: First Attacks Reported
How can you check your server / website for this vulnerability?
The only tests I've been able to find so far have been for browsers.
|How can you check your server / website for this vulnerability? |
A DNS Report which used to be free but is now subscription based. Worth it if you ask me.
[edited by: pageoneresults at 5:26 am (utc) on Aug. 8, 2008]
Didn't notice the other homepage topic until after I posted: [recursive.iana.org...]
Seems I am vulnerable (showed up yellow, but not red like some other sites I tested).
What does one have to do to fix this?
Oooh, thanks for that link jake66. I'm adding that to me list. Its basic, but enough to let you know if you have the vulnerability I think. I'd want a backup in this instance as it is imperative that it be fixed. Can't afford even an inkling of "a false sense of security". ;)
The DNS Report is still worth the look. You get much more than the above. There are other FAILs and WARNs to be concerned with. The Open DNS Relay is just one of them, the biggest I think.
Are you currently using the paid DNS check? Does it too, tell you you're vulnerable? (Assuming that by your post, you got the same message as myself)
Ya, I use the paid version. But, I've been a DNS Report follower for years so my opinion is totally biased. I've not found another as accurate and detailed as it is. There are others out there that filled the void that DNS Report left open when they went paid but I still don't think they've got the backend support to provide the accuracy. I'm not sure though. I have no reason to switch. That report has saved us who knows how many $$$$$$$!
All you need to do is run it once. If there are no FAILs and no WARNs, congratulations. You've at least got a certain level of security in place. There may be one or two WARNs present, read the details and you'll know if you can bypass it. Same Class C is a common WARN.
It doesn't stop there though. You want to make sure you've got everything locked down these days. < Heh, I'm paranoid.
I checked on IntoDNS & only got 2 warns:
Recursive Queries (Already knew this from the IANA test)
Different subnets - WARNING: Not all of your nameservers are in different subnets
Different autonomous systems - WARNING: Single point of failure
...the 2 warns have nothing to do with this recursive DNS?
I read some interesting stories about this DNS flaw. Mr. Dan Kaminsky seems to be of the opinion that all proposed fixes to date are woefully inadequate and would, I read, be failures upon implementation.
Any ideas on solutions? I got none...which is maybe why so many people are staying mum. What good does it do us to discuss a problem we cannot correct; hell, it's so far above my head I get dizzy trying to figure out the implications, let alone resolutions!
I can't believe I haven't seen a post regarding 11 hackers having charges filed against them by the U.S. Attorney General for stealing credit card information from 40,000,000 accounts...now that's a problem I understand!
So this isn't something that can be fixed at this point in time? :(
Just as I thought I was safe.. I was able to disable recursion and get the green bar on the IANA site.
Tutorial for anyone that's as confused as I was: [webhostgear.com...]
There are a lot of best practices that can be followed with DNS... trouble is around half the planet still runs their DNS as open relay sites (just kinda asking for cache poisoning problems).
It comes down to are you (or is your DNS service provider) responsive to implementing best practices and staying on top of DNS and other core infrastructure patches, fixes and updates?
Can you fix the problem? Based on HugeNerd's reporting of Mr. Kaminsky's remarks (presuming that gloomy view is correct), you can minimally mitigate the problem by installed software that at least attempts to address the issue du jour.
Certainly it seems better to do that than leave existing known problematic and flawed software in place.
FWIW, you probably should also be on the lookout for a new round of SQL injection attempts which seem to be on the rise recently (apparently mostly impacting sites running old .js versions who did not patch, fix or upgrade their software)