Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

What do I need to know about the DNS vulnerability?

There’s been a lot of press around some kind of “big, bad”
vulnerability in DNS. I don’t need the details, I just want to know
what it means to me, and what, if anything, I need to do to be
safe.

DNS is one of those critical internet infrastructure things that we
just don’t think of all that often. But it is, indeed, critical. And
when a vulnerability is discovered, it’s a big deal.

A very big deal.

Become a Patron of Ask Leo! and go ad-free!

In short, DNS is the service that your computer uses to turn names
you and I can read and recognize, like “ask-leo.com”, into IP addresses
like 72.3.133.152 that are used by the internet to actually transfer
data.

It’s good that you don’t care about the exact details, because at
this writing they haven’t actually been divulged yet, and the various
theories are fairly complex.

“Even after a very large push … that
vulnerability still exists on too many DNS servers.”

The effect of the vulnerability is that if it is successfully
exploited, a DNS request for a specific name can be forced to return
the wrong IP address. So imagine that you’re going to paypal.com and
the DNS request that asks “what’s the IP address for paypal.com?”
returns an IP address of a hacker’s server instead. A hacker’s server
that is crafted to look like Paypal, but is most definitely not Paypal.
How would you know?

That’s why it’s a big deal. Even after a very large push to get all
the DNS servers patched before the vulnerability became public, the
fact is that even today that vulnerability still exists on too many DNS
servers.

So, what can you do?

The good news is that this is easy to detect, and easy to work
around, even though it’s not your problem.

That’s correct, it’s not your problem. This is not something that’s
present on your computer. (Unless, that is, you’re a geek running your
own DNS server, like I am.) DNS servers are provided by your ISP, and
it’s there that the vulnerability may lie.

Test your DNS. Visit this link:

http://149.20.3.33/test/

You’ll note that’s an IP address – if it were a normal name it would
require a DNS look up using the very DNS server that you don’t yet
trust. (Thanks Michael Horowitz for that tidbit. And yes, in theory it
could still be spoofed; more on that below.)

You will be presented with two charts. The key is that you want both
“Randomness” results to be “Great”, and that each time you run the test
the graphed dots and the list of “Values Seen” are different. That’s
all. If you get “Great” for both tests, you’re done. (If you travel, or
use a hotspot, you’ll need to run this test at each location before you
can feel safe.)

If you didn’t get “Great” for both, there are two things I believe
you must do:

  • Complain to your ISP. They are vulnerable, meaning
    all of their customers are vulnerable. Patches and updates are readily
    available, so there’s simply no excuse not be up to date.

  • Switch to OpenDNS.
    OpenDNS is a free DNS alternative that is known not to be vulnerable.
    Whether you stick with it long term is up to you, but as a short term
    way to avoid your ISP’s vulnerable DNS servers, it’s a perfect and
    quick solution. Instructions
    are here.

Now, I mentioned above that the test could be spoofed. Even when you
go to the main page of the test by IP address rather than by name, the
test itself still has to use DNS to perform the test. The danger
scenario looks like this: your ISP has a vulnerable DNS server, that
has been exploited. As part of the exploit the DNS names for the test
servers are redirected to IP addresses of servers that always return
“Great”, no matter what. I honestly don’t think this is very likely,
but I include it for completeness.

If there’s any question at all, you’ll be safe switching to
OpenDNS.

You’ll likely hear more about this vulnerability in the coming
weeks, but as long as things are “Great” you’ll know you’re safe.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

12 comments on “What do I need to know about the DNS vulnerability?”

  1. Great! I was just about to ask you that. :)

    My current ISP’s DNS servers are not vulnerable but the ISP I am about to switch to is vulnerable (I made a friend run that test). So I would inform them.

    But my question is how difficult a thing it is for them to apply the patch? Is it just like software updates (or maybe a little more complex) or is it really truly complex thing that an ISP might not have the expertise to implement in reasonable time?

    It’ll vary based on exactly which DNS server they happen to be running, but the bottom line is that it should be very easy, and even if it’s not this is exactly what we expect our ISPs to be capable of doing and doing well.

    FWIW: I updated my DNS server in less than a minute with two, maybe three clicks of a mouse. (Ubuntu Linux) Not all are that easy, but many are.

    As I said there’s no excuse.

    -Leo

    Reply
  2. one little difficulty I just experienced, and I’m sure I’m not alone… ” Address not available” reply…Hum…Just too many people testing their DNS or has someone disabled the link…or, has my ISP (rogers) blacklisted the address…
    George Orwell Lives!

    Reply
  3. Sorry, I supplied the wrong text on my last email, it should have read:

    The page cannot be displayed
    The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings. “

    Not that it could not find the server. My apologies.

    Eld.

    Also, I did look at the OPEN DNS info and realized I have not heard why I might not want to stay with it if I choose to switch, and why I might want to switch, DNS issue or not. It looks pretty inviting, but how do they make their money?

    Thanks,

    Eld. (Orwell Lives!)

    Reply
  4. Am I to assume this DNS test will not work on a Mac?

    DNS, and the test, is platform independant. It should work.

    -Leo

    Reply
  5. My ISP showed good at first test then on the 2nd try showed poor (just a straight line) on the first graph. Called them and they were unable to resovle the address on your e mail.

    Reply
  6. Ran the test and received a result of Nominum. Is this company proven to be safe or is more time needed to tell? Better to use OpenDNS in the meantime or just sit tight? Thanks!

    Reply
  7. I tried to use the test; however, all I got was “Failure to connect to Web Server”. Didn’t matter what time of day. Would this be a Hughesnet thing?

    Reply
  8. I tried using the test link and received the message, “The requested URL could not be retrieved

    While trying to retrieve the URL: http://c5daea0164e51ed4f806e1d3.et.dns-oarc.net/

    The following error was encountered:

    Unable to determine IP address from host name for c5daea0164e51ed4f806e1d3.et.dns-oarc.net
    The dnsserver returned:

    No Address records
    This means that:

    The cache was not able to resolve the hostname presented in the URL.
    Check if the address is correct.
    Your cache administrator is support.
    —-
    Generated Wed, 06 Aug 2008 01:17:19 GMT by nocwebrun006.cisp.com (squid/2.5.STABLE11)”
    From the preceding notes, I guess I’m not the only one having problems with the link, but the message seems different than others reported.

    Reply
  9. My ISP’s DNS server is Great, but now I’m wondering about where my website is hosted. Is this an issue? Is there a way to test it?

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.