[afnog] Big DNS vulnerability
Stephane Bortzmeyer
bortzmeyer at nic.fr
Wed Jul 23 08:19:42 UTC 2008
On Wed, Jul 09, 2008 at 11:05:46AM +0200,
Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote
a message of 28 lines which said:
> Executive summary: upgrade your recursive name servers ASAP.
The detailed announcement, which was scheduled for August 7th, has
been made in advance (by accident or by desire for fame):
http://beezari.livejournal.com/141796.html
As a result, every cracker on the planet now knows how to write an
exploit. So, we can expect actual uses of the vulnerability at any
moment. And it is a serious one.
> For BIND users (do note that several vendors who ship BIND already
> have the upgraded version, for instance Debian and Gentoo):
>
> http://www.isc.org/index.pl?/sw/bind/forgery-resilience.php
>
> For Microsoft users:
>
> http://www.microsoft.com/technet/security/Bulletin/MS08-037.mspx
>
> For Cisco users:
>
> http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml
Patching is therefore now URGENT. According to this survey:
http://www.hackerfactor.com/blog/index.php?/archives/204-Poor-DNS.html
many big ISP in the USA are STILL vulnerable (I do not know if someone
performed the same survey in Africa but I suspect it will not be much
better)
Only one message: if not patched yet, PATCH NOW.
To test if the resolver is relatively secure, the best Web tool is:
https://www.dns-oarc.net/oarc/services/dnsentropy
and the best command-line tool is dig :-)
dig @X.Y.Z.T +short porttest.dns-oarc.net TXT
(See https://www.dns-oarc.net/oarc/services/porttest)
More information about the afnog
mailing list