[nsp-sec] A note from Dan Kaminsky, Researcher of the DNS issue, for ISPs

[Zot O'Connor]

[Since I know several ISPs are on this list I am posting this here.

Please forward to all ISPs, but please remove any reference from me.

Thanks!]


Dan Kaminsky asked us to pass this note along.


Dear ISP:

As you have probably read, a large collection of DNS vendors, software publishers, and researchers published an update to their DNS servers and clients.  There is now publication of the details of vulnerability which means exploit is more likely.

The root cause of the vulnerability is a lack of entropy (randomness if you will) in the UDP ports used by DNS.  The updates randomize the ports that are used by DNS.

However, there is an issue<http://blogs.iss.net/archive/dnsnat.html> (http://blogs.iss.net/archive/dnsnat.html) that some NAT devices undo the randomization of the ports and re-write the ports in a sequential number.   This in effect re-introduces the vulnerability to customers.   Many customers are behind these devices and customers using a low-end device are far less likely to understand the issues compare to customers behind a more powerful router or firewall device.  Obviously consumers are a likely group to be in this situation, but so are SOHOs and other small and medium business customers.

While the NAT device manufactures evaluate the situation and determine what their response should be, there is one strong workaround.  It involves setting up your DNS in the way described here<http://www.isc.org/sw/bind/docs/forwarding.php> (http://www.isc.org/sw/bind/docs/forwarding.php
).  This means that the customer is relying on the ISP's server to be updated.

Therefore I am urging all ISPs to make sure they update their servers, and encourage their users to update their systems.

For more information you can go to my research page:  http://www.doxpara.com/


Dan Kaminsky
IO Active