Domain Name System (DNS) under attack
For some time now there have been rumblings about some basic flaws in DNS that could allow hackers to do a lot of damage and the situation has now gotten worse. I have previously refrained from posting about it because it is somewhat arcane and there is no easy way for the average PC user to do much about it. It is a problem that the various Internet service providers (ISPs) should be attending to. (But see a possible solution at the end of this post.)
Here’s a brief explanation of what is involved. When you enter something like “www.microsoft.com” into your browser, you are not entering the real Internet address of Microsoft. Actual Internet addresses are numbers and the URLs that we humans use are for convenience since they are much easier to remember than a bunch of numbers. Thus when your browser sends off “www.microsoft.com” to your ISP, the URL has to be translated into the actual numerical address. All ISPs have computers especially dedicated to this task, called domain name servers.
Unfortunately, it was discovered that there are bad security flaws in the way that DNS works and ISPs have been urged to fix their servers for some time. The process is not trivial and there are fears that many domain name servers remain unpatched. The New York Times describes the problem:
Hackers have released software that exploits a recently disclosed flaw in the Domain Name System (DNS) software used to route messages between computers on the Internet.
The attack code was released Wednesday by developers of the Metasploit hacking toolkit.Internet security experts warn that this code may give criminals a way to launch virtually undetectable phishing attacks against Internet users whose service providers have not installed the latest DNS server patches.
Check with your ISP to make sure that it has updated the DNS servers. You can also run a check at this link to see if your DNS is patched. This site belongs to Dan Kaminsky who was the discoverer of the DNS problem. He has news on his site of recent developments. [Added Friday: Kaminsky's site seems to be very erratic, probably due to very heavy traffic.]
In fact, you do not have to use the DNS servers from your ISP but can switch to any other server that will allow you. If you are using a router, it is fairly easy to change the DNS. The exact details depend on your particular router.One well-known free service is OpenDNS. I became dissatisfied with the responsiveness of Verizon’s DNS long ago and have been happily using OpenDNS for some time. This service has applied the security patches.
Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically to your feed reader.
Comments
No comments yet.
Sorry, the comment form is closed at this time.