| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
Details on DNS flaw inadvertently leaked; researcher says patch now | |
|
||
| Time: 00:04 EST/05:04 GMT | News Source: BetaNews | Posted By: Kenneth van Surksum | ||
|
The cat is out of the bag before Black Hat. That isn't a passage from a Dr. Seuss children's book, but a description of what happened on Monday when a Web site accidentally posted details about a DNS flaw uncovered by security researcher Dan Kaminsky earlier this month.
| ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 210 Last | Next |
The time now is
6:41:50 PM
ET.
Any comment problems? E-mail us |
| #1 By 23275 (68.186.182.236) at 7/23/2008 4:59:04 AM |
|
Well... this cat is out of the bag.
AD DNS operators that do not have recursion enabled, and do not face the public Internet relax - you had a patch a good bit ago (along with most other DNS types). This applies most to operators of "Host Named" DNS servers like our own .41 and .42 that are authoritative delegates for assigned address spaces (forward and reverse delegate authorities) and that do have recursion enabled - simply, open to the public networks. Patching is not enough. "IF" your host named DNS server "WAS" behind a NAT and your firewall manufacturer does not have a work-around, or a patch, the NAT device itself can leave the Host Named DNS vulnerable. You'll have to move your Host Named DNS servers into the DMZ and in front of a NAT device, or the device itself will return patterned, or predictable port numbers and make vulnerable an otherwise patched DNS server. It's a mess now, but happily, people have been cooperating for many months and patches are available. However, architectural changes have to be made in many cases. If you have not patched, do so now. If your Host Named DNS with Recursion Enabled is behind a NAT, move it to the DMZ. |
| #2 By 54556 (67.131.75.22) at 7/23/2008 11:34:12 AM |
| Good point Llyod. Its a pity that the BetaNews coverage was not complete enough to point out the NAT implications to the workarounds that are being distribeduted as patches. |
| #3 By 23275 (68.186.182.236) at 7/23/2008 12:54:51 PM |
|
#2, Yes, it was/is potentially very confusing for people. Our own case is representative of what can happen. When I first discussed this with our team, the immediate reply was, "we're patched up and god to go"
That didn't seem right to me - as we had an edge firewall ahead of our split DNS Authoritative Host Named DNS Servers). I ordered more tests and sure enough, returns from behind the NAT device, regardless of one to one publishing rules (e.g., no proxy at all, but a straight pass-through), reflected unique TXT ID's; however, the ports being assigned by the NAT were sequential (bad news). So we had to plan to move things and not use NAT to protect the D-DNS servers. We tested again and both ports and TXT ID's were random (as they should be). BTW, I should have provided this test link in my first post, http://www.doxpara.com there is a check my DNS button - for all users/public host named DNS operators with recursion enabled, please ensure that your systems return no discernable patterns. |
| #4 By 9589 (76.6.29.196) at 7/23/2008 3:49:51 PM |
|
Lloyd, thank you for including the web site above in your discussion.
jdh |
| #5 By 9589 (76.6.29.196) at 7/23/2008 3:50:18 PM |
|
Double post . . . This post was edited by jdhawk on Wednesday, July 23, 2008 at 15:50. |
| #6 By 868449 (27.159.217.201) at 12/12/2012 1:53:11 AM |
|
The next time I read a blog, I hope that it doesnt disappoint me as a lot as this 1. I mean, I know it was my choice to read, but I really thought youd have something interesting to say. All I hear is actually a bunch of whining about some thing which you could fix for those who werent too busy seeking for attention.
<a href=http://www.discount-airjordans.com/air-jordan-fusion-c-118.html>mens cheapest jordans</a> <a href=http://www.freerunning3.com/nike-free-5-0/>billig Nike Free 5.0</a> |
| #7 By 958801 (200.84.73.101) at 12/18/2012 2:48:37 PM |
|
I discovered your weblog web site on google and check a couple of of your early posts. Continue to maintain up the rather great operate. I just additional up your RSS feed to my MSN News Reader. Looking for forward to reading additional from you later on!
<a href=http://jerseys205.66ghz.com/>Youth NFL Jerseys</a> |
|
Write Comment
Return to News |
Displaying 1 through 25 of 210 Last | Next |
The time now is
6:41:50 PM
ET.
Any comment problems? E-mail us |
