DNS protocol vulnerability

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

So I installed Suse Linux the other day and I was absolutely dumbfounded It had a GUI that you could just point and click.... I was like WTF? I was expecting a black screen with just this:

>_ (the underscore would be flashing)

So it seems the uber elite have a GUI that requires a mouse and some kind of pointing and clicking to make it work..... I did find this box where you could type stuff in like commands. So Linux had a point and click thing with an optional box you could open to type in commands... seen that somewhere before?

Maybe it was a one off, what would an uber L33T Linux user need with a point and click thing, so I got a Knoppix live CD off the net (lucky I could download it in Windows, for all I know it was some weird file type that needed you to enter binary commands to use). See Knoppix is like a whole operating system on a cd, only 700MB of space to use there is no way they would bother putting in useless point and click stuff.... loaded it up and WTF? absolutely dumbfounded again point and click. I feel like I have been misled, ah well, wonder if Mac users have pointing and clicking, its so last season

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

No problem. Just send me your creditcard number and pin code.

 

Well, this thing has tried to create its own drama, but actually has been responsibly handled (as opposed to normal internet chicken-little stuff). No, it's not just BIND, and a majority of the OEMs have fallen in line with patches. I've even checked the data center we're hosted in, and their servers are straight (they're a little flaky at times). Don't know about their recursion paths, though.

A quick fix (apparently) is to turn your DNS forwarders to www.opendns.com -- not only is it a great free solution, they are pretty diligent, and handle their own recursion. Plus, I think they run the phishtank too, another noble effort.

 

it is a serious threat, but it is easily patched. we've been patched now for a couple of weeks, but this site http://doxpara.com/ is handy to check your own and see if anything downstream from you is still vulnerable.

hope this helps someone.

 

As usual, my statements are being backed up by highly qualified people.

Once again, if your DNS servers are behind NAT devices do NOT just rely on the patch. NAT devices do their own source port randomization, and it is far, far less than what the patches released do for randomization of source ports on DNS servers.

Don't believe me? Like I said, read what other people highly involved in this process have to say.

http://www.circleid.com/posts/87143_dns_not_a_guessing_game/

Yeah, I get sarcastic, but I'm pretty much sick of the lackadaisical attitudes towards security that are expressed by the majority of Windows techs. You're so satisfied with the point-and-click environment that MS has created for you that looking beyond it doesn't enter most of your minds.

Anyone trusting MS to look out for anybody but MS is clearly a few bricks short of a full load. Their entire history of behavior says they will not look out for you.

Tell me, those of you who laughed me to scorn, how many of you had a first thought of wondering if the source port randomization from your dns server would be affected by NAT? It was one of my first thoughts, and on another forum I brought up the subject on the same day the patches were released. We discussed it, and now it's being officially said that NAT completely screws up the efficacy of the patches. Whether or not it was the discussion I was involved in or not that brought this out I don't know, but I sure do stand vindicated. I was one of the first to realize that this was a major problem, and the first to scorned for bringing it to your attention.

Y'all can kiss my butt. I won't be offering any more help here.

 

I'm sorry freddie, but if thats your attitude, I for one dont need your help.

Get down off your damn high horse, we're all just Human here. Of varying levels of technical ability. Sure, you may well be vindicated. So what? That doesnt give you the right to slag off everyone here just because they dont agree with you. Grow the hell up!

Perhaps if you stopped laying into MS and MS techs with every damn post, people would listen more to the underlying messages that you are talking about.

I've been patient with you up until now Freddie, but your attitude stinks. I dont give a flying monkeys if you prefer Linux over Windows. Nor do I care if you think Linux is the future or not. I dont care about any of it. And theres no denying your breadth of knowledge on a variety of subjects. Perhaps if you were just content to help people, regardless of what systems they choose to use, things might go better.

Now put your damn toys back into the pram!

 

Spot on.

 

Security is a process. Part of that process is evaluating risk. You just can't do that properly without full disclosure. If I'm not vulnerable (i.e. not connected to the internet but use DNS internally) or the value of what I'm protecting is zero, then all time, effort and money spent on plugging the hole is WASTED.

RISK = ((Threat * Vulnerability) / Countermeasures) * Value

If sheep want to follow security fascists around that's fine with me, just don't expect everyone else to become mindless automatons of the police state too.

 

Yeah, I already hijacked this thread to spread my anti-fascist-police-state rhetoric! No double hijacking! LOL

 

People.
Take it easy on Freddy - We all know he honestly means well!
Freddy - Keep up the good work.

 

what worries me is the possibility this is all conspiracy cooked up by the military. the WORLD military, man.

its just a lead up to replacing DNS with something that very explicitly defines anyone using the internet. Not only that but it would be completely un maskable and unable to work with a conventional anonymous proxy. It'd be like we all joined facebook against our will!

Its my conspiracy theory and I'm standing by it. heh. Feed your head!

 

I take it that there were 80 other vendors involved with releasing patches, not just MS. So please tell me (because I really fail to see it) how it becomes completely MS's fault that the DNS protocol needs fixing.

While you're at it, please explain to me how it's become MS's fault that NAT seems to reduce the effectiveness of the (81 vendors) patches. The way I see it now is that the problem has now shifted to hardware vendors producing routers and firewalls etc that sit on the perimeter of the company/home network providing NAT. Should I contact MS about the problem or the manufacturer of my firewall (who just happen to use embedded linux systems in their products like most others)?

It's not too surprising, considering that CF is a certification centric forum but once more you try to turn this to an effort for MS bashing (again).

Once more turning into another MS bashing post.

Can you point me to this. I would like to read it.

I'm sure that if you ask nicely then freddy will lend you one of his tinfoil hats.

 

I think Linus said it best when he called this kind of hype a "security circus".

http://news.cnet.com/2100-1007-6243900.html?tag=nefd.top

 

My gods! That was hilarious. Masterbating monkeys!!!!!

 

yeah linus has some of the best quotes of all time, especially for a tech geek. but in all seriousness about that DNS is that it doesn't matter if you really patch yours, like plenty of people have, because if anyone downstream from you is not patched then they get taken and by that so do you. thats why this is such a big deal. one can affect many and so on. crito is correct in saying that he has no need if his only dns is internal, but if you're connecting to th enet you'll be vulnerable to this dns issue. as far as the MS bashing it is pointless, anything that utilizes DNS is vulnerable including all those cool linux protocols...

 

just a heads up, but its out two weeks early so hope every is patched up or patching today

http://www.infoworld.com/article/08/07/22/Details_of_major_Internet_flaw_posted_by_accident_1.html

 

wow missed this one. I'm a Windows Engineer and find Freddies comments a little annoying to say the least. The reason most people use Windows is simply because most companies use Windows. You try installing Linux on people's PC's in a business environment and see it crash and burn as it would take millions to train people to use it where I work. This is also the same for servers. Microsoft certainly isn't perfect but everything works well together and the OS is easier to learn and use.