Earlier this month, a security disclosure regarding DNS was announced. At the same time this disclosure was made, numerous DNS hardware and software vendors released patches for their products. For many, the patches were applied automatically, but others were faced with making the conscious decision to apply the patches. The security disclosure states that there is a new DNS cache poisoning vulnerability. The disclosure tells people to immediately patch their DNS servers, but the disclosure doesn’t tell people exactly why it is such a scary problem.
Quite a PR circus has resulted from this partial disclosure. Some people fully embrace the fact that there is a problem, and other have ignored the advice given by DNS experts. The remainder of our post today is dedicated to separating the facts from fiction, discuss what you should do to protect yourself, and to inform you as to what we’ve done to protect you.
Fact from Fiction
The first and most important point of order is that the sky is not falling and that there is no vast DNS conspiracy afoot. Like any piece of software or protocol, there can be problems, but they can be patched. What is unique about this particular attack is that it exploited the DNS protocol. The DNS protocol has been around for 25 years (yes, since 1983) and has had its problems, but they’ve been fixed. This is the exact case here.
From the US-CERT disclosure and other resources, we learned that security researcher Dan Kaminsky discovered an attack that poisons DNS caches. This left many of us scratching our heads, thinking, “DNS Cache poisoning attacks have been around for a long time, why is this one so special?” Well, this one is special. It doesn’t employ any new methods, really, but does significantly increases the speed and effectiveness of the attack through some various DNS trickery. Our words of wisdom: believe the hype, patch your servers, and watch your DNS caches for poisoning attacks. This thing is very real, very effective, and as of a day ago, the cat is out of the bag.
What to Do
For the average Internet user, you need to do nothing. You’ve likely already received patches from your software vendor, whether it be Microsoft, Apple, or one of the many Linux groups. But for network operators, corporations, or individuals who run a recursive or caching name server, an upgrade to your DNS server software is required. Go find your Network / DNS Administrator and tell them about this, they need to know. They need to upgrade, or employ the use of a secure recursive DNS resolver. Dyn Recursive DNS service is a secure option.
To find out if you are affected by this attack, you can visit https://www.dns-oarc.net/oarc/services/dnsentropy
How We Were Affected
We run ISC‘s BIND DNS server software for our service, so we were affected. However, we regularly monitor multiple security lists and found out about the vulnerability on day one. When new advisories and disclosures are release, we review them and take appropriate action immediately. In this case, we identified that our internal recursive resolvers and our Dyn Recursive DNS resolvers could be vulnerable. We tested our Dyn Recursive DNS service and discovered that we were vulnerable to this specialized attack. So, we went to ISC for the patch, reviewed it, tested it, and applied it. We then tested our service again, and found that we are now protected. Following that, we patched all of our internal recursive resolvers.
Remember that nearly every piece of DNS server software was impacted. We’d like to politely remind everyone that BIND is no more or less secure than any DNS server software, although others may say differently. This exploit was related to the 25 year old DNS protocol itself, and not any one implementation of DNS server software.
The good news for BIND is that many (greater than 50%) people use it to run their recursive DNS resolvers. This means that many eyes are watching it, including its author, Paul Vixie and team over at ISC. The ISC folk saw the problem, analyzed it, and built the patch. We’d like to commend them for getting this done so quickly.
Most Internet operators are taking this issue seriously so there is really nothing to worry about. If you operate a resolver or caching name server, upgrade it. If you have any questions about how this might affect your service with us or the steps we took to address this issue, please feel free to contact us at 603-668-4998.