There’s been a lot of press around some kind of “big, bad”
vulnerability in DNS. I don’t need the details, I just want to know
what it means to me, and what, if anything, I need to do to be
A very big deal.
Become a Patron of Ask Leo! and go ad-free!
In short, DNS is the service that your computer uses to turn names
you and I can read and recognize, like “ask-leo.com”, into IP addresses
like 126.96.36.199 that are used by the internet to actually transfer
It’s good that you don’t care about the exact details, because at
this writing they haven’t actually been divulged yet, and the various
theories are fairly complex.
vulnerability still exists on too many DNS servers.”
The effect of the vulnerability is that if it is successfully
exploited, a DNS request for a specific name can be forced to return
the wrong IP address. So imagine that you’re going to paypal.com and
the DNS request that asks “what’s the IP address for paypal.com?”
returns an IP address of a hacker’s server instead. A hacker’s server
that is crafted to look like Paypal, but is most definitely not Paypal.
How would you know?
That’s why it’s a big deal. Even after a very large push to get all
the DNS servers patched before the vulnerability became public, the
fact is that even today that vulnerability still exists on too many DNS
So, what can you do?
The good news is that this is easy to detect, and easy to work
around, even though it’s not your problem.
That’s correct, it’s not your problem. This is not something that’s
present on your computer. (Unless, that is, you’re a geek running your
own DNS server, like I am.) DNS servers are provided by your ISP, and
it’s there that the vulnerability may lie.
Test your DNS. Visit this link:
You’ll note that’s an IP address – if it were a normal name it would
require a DNS look up using the very DNS server that you don’t yet
trust. (Thanks Michael Horowitz for that tidbit. And yes, in theory it
could still be spoofed; more on that below.)
You will be presented with two charts. The key is that you want both
“Randomness” results to be “Great”, and that each time you run the test
the graphed dots and the list of “Values Seen” are different. That’s
all. If you get “Great” for both tests, you’re done. (If you travel, or
use a hotspot, you’ll need to run this test at each location before you
can feel safe.)
If you didn’t get “Great” for both, there are two things I believe
you must do:
Complain to your ISP. They are vulnerable, meaning
all of their customers are vulnerable. Patches and updates are readily
available, so there’s simply no excuse not be up to date.
Switch to OpenDNS.
OpenDNS is a free DNS alternative that is known not to be vulnerable.
Whether you stick with it long term is up to you, but as a short term
way to avoid your ISP’s vulnerable DNS servers, it’s a perfect and
quick solution. Instructions
Now, I mentioned above that the test could be spoofed. Even when you
go to the main page of the test by IP address rather than by name, the
test itself still has to use DNS to perform the test. The danger
scenario looks like this: your ISP has a vulnerable DNS server, that
has been exploited. As part of the exploit the DNS names for the test
servers are redirected to IP addresses of servers that always return
“Great”, no matter what. I honestly don’t think this is very likely,
but I include it for completeness.
If there’s any question at all, you’ll be safe switching to
You’ll likely hear more about this vulnerability in the coming
weeks, but as long as things are “Great” you’ll know you’re safe.