Don’t be a Victim of DNS Security Holes
The internet has been ablaze with news about the Kaminsky DNS vulnerability over the last week or so, especially in light of some vendors’ taking their sweet time with supplying a fix.
Behind all the security technobabble, what this means for you is that if your ISP hasn’t applied the appropriate fixes to the DNS servers they set for you when you go online, then should you type www.paypal.com or www.citibank.com into the address-bar of your browser, you might very well actually end up on a spoof site that looks exactly like the real thing, but which collects your username and password before forwarding your connection to the real site. That’s a serious problem in anyone’s book!
You can check whether the servers you’re calling have been fixed by clicking the Check My DNS button on Dan Kaminsky’s Site. If they come up short, you really should switch to an alternative DNS service. In many respects, using a free provider that specializes in DNS is more likely to also keep you safe from any future security problems than relying on your ISP — who has plenty of other things to maintain in addition to your DNS servers.
OpenDNS provides just such a service at no cost, and even though my ISP passes the Kaminsky test, I’ve already switched my whole network over to the OpenDNS servers by following these straight forward instructions, which boil down to changing all /etc/resolv.conf nameserver lines to:
nameserver 208.67.222.222
nameserver 208.67.220.220
And then flushing any cached addresses on all computers you use for browsing. On Ubuntu, type the following into a terminal:
sudo /etc/init.d/networking restart
And the equivalent for Mac OS X:
sudo lookupd -flushcache
And Windows Vista:
ipconfig /flushdns
Loading ...
Howdy, I’ve been enjoying your site for a while. I was wondering why you are choosing to use OpenDNS rather than just having your own DNS server use Root Hints? I tried to ‘google’ for the advantages and disadvantage of one over the other, and what little information I find conflicts on which is actually faster for an enterprise.
Thanks,
AJ
Hi KiltBear,
That’s an excellent question!
The main criteria for me is how well maintained the service will be. OpenDNS has an excellent track record, and since they specialize in maintaining a DNS service, I trust that they will find out about security holes and patch them faster than I could do it myself.
In an enterprise context, that needs to be weighed against corporate policy, and whether the system administrators are likely to be able to notice and react to security issues in a sufficiently timely manner. Another thing to bear in mind is that if you’re prepared to sign up for a full account with OpenDNS, you’ll be able to do much of the filtering you might otherwise need to set up and maintain for yourself with company resources. So the only thing you should need to maintain onsite is a caching proxy server.
Cheers,
Gary
I love the DNS checker but I’m not too keen on OpenDNS. I hate the way they take my failed DNS requests and turn them into adverts. Also, I don’t trust them. I’m fairly confident that my ISP has better stuff to be doing than logging my DNS requests and using them to optimize, work out usage patterns to aid marketing, edvertising etc. I’m fairly sure OpenDNS needs to be logging my DNS requests, looking for patterns etc, which I don’t want
Good short and sweet fix. I Just discovered this site recently and only found good info for every OS preference you need.
Good job.
@bob
if i were you, i wouldn’t be so sure… somebody, somewhere is logging your requests anyway, be that you know or you don’t. stop being so naive. i’ve been using OpenDNS for years now, with no problems whatsoever.
We have been using OpenDNS for quite some time. Is there a downloadable test for this DNS security hole?
By the way,
only works on OS X 10.4. The 10.5 Leopard equivalent is:
.
@Ad Manager: You can test your DNS by running the test on the right side of http://www.doxpara.com/?p=1176
If you’re working on a Linux machine, here’s a little “how to” to check your nameservers, as well as others. Kaminsky’s tool only allows you to check your current nameservers, but you can also check those of other providers, Open DNS, Company’s nameservers, …
http://www.mattiasgeniar.be/security/dns-poisoning-attack-how-safe-am-i/