The internet has been ablaze with news about the Kaminsky DNS vulnerability over the last week or so, especially in light of some vendors’ taking their sweet time with supplying a fix.
Behind all the security technobabble, what this means for you is that if your ISP hasn’t applied the appropriate fixes to the DNS servers they set for you when you go online, then should you type
www.citibank.com into the address-bar of your browser, you might very well actually end up on a spoof site that looks exactly like the real thing, but which collects your username and password before forwarding your connection to the real site. That’s a serious problem in anyone’s book!
You can check whether the servers you’re calling have been fixed by clicking the Check My DNS button on Dan Kaminsky’s Site. If they come up short, you really should switch to an alternative DNS service. In many respects, using a free provider that specializes in DNS is more likely to also keep you safe from any future security problems than relying on your ISP — who has plenty of other things to maintain in addition to your DNS servers.
OpenDNS provides just such a service at no cost, and even though my ISP passes the Kaminsky test, I’ve already switched my whole network over to the OpenDNS servers by following these straight forward instructions, which boil down to changing all
/etc/resolv.conf nameserver lines to:
And then flushing any cached addresses on all computers you use for browsing. On Ubuntu, type the following into a terminal:
sudo /etc/init.d/networking restart
And the equivalent for Mac OS X:
sudo lookupd -flushcache
And Windows Vista: