New Vulnerability in DNS Servers?

[Thorin]

A new vulnerability on DNS servers was found a few months ago, and was detailed recently.  This was actually a scary read: http://www.doxpara.com/

Before the attack:  A bad guy has a one in sixty five thousand chance of stealing your Internet connection, but he can only try once every couple of hours.

After the attack:  A bad guy has a one in sixty five thousand chance of stealing your Internet connection, and he can try a couple thousand times a second.

After the patch: A bad guy has a one in a couple hundred million, or even a couple billion chance of stealing your Internet connection.  He can still try to do so a couple thousand times a second, but it?s going to make a lot of noise.

Basically, the new attack compromises automatically-trusted "in-bailiwick" servers...

[Tom]

Yeah, its a nasty bug, and its not specific to one code base, but to MOST dns servers since its a design flaw in the DNS protocol itself.

the .org registrar is switching to DNSSEC which will close all sorts of dns flaws, at least when using the .org namespace.

My firewall's dns server was suceptible, but a "apt-get update && apt-get upgrade" fixed it (I use a local bind9 service, so I don't have to rely on shaw's crappy DNS or "OpenDNS" which can be annoying when it rewrites results).

If you want to check yours, click the check dns button on that doxpara page

[Lazybones]

unless they updated the test all it does is check if your DNS new on a random port, there is much more to it than that. Our firewall fails the test but is not vulnerable due to it's specific implementation.

[Tom]

probably because it uses djb, its one of the only "normal" DNS servers that isn't affected (the implementer worked around the problem a while back).