This week it was announced that one of the core protocols that holds the internet together is fundamentally flawed. The problem is not with someone’s implementation of the protocol, but with the actual protocol itself. It’s hard to over-state just how big a deal this is. At the moment the details of the vulnerability are being kept secret to give the world time to patch, but you can get some technical information from the advisory issued by the US Cert. On Tuesday all the major DNS server vendors released patches at the same time. This is un-heard of, nothing like this has ever happened before in the history of the internet. That alone should bring home just how big this is.
Although the good-guys have successfully kept the details of the flaw secret to date, despite the large numbers of organisations involved, the reality is that the bad guys are frantically trying to figure this out as I type. It’s not a matter of if they’ll figure it out, but when. The security community have bought us time. That time should not be squandered, but used to protect the internet as a whole, and to protect ourselves.
Before going any further I should probably explain what DNS is, what it does, and what it would mean for you if your DNS server got compromised. The name DNS stands for Domain Name Service. The Internet is a collection of computer equipment that’s interconnected to form a global network. This network runs off a set of computer protocols called TCP/IP. Getting information from one point to another is not a simple matter at all, and to make it possible a complex but not very human friendly addressing scheme is used. IP addresses, network addresses, and netmasks don’t mean anything to anyone but sysadmins, network engineers, and computer scientists. We humans deal with nice Englishy addressing schemes like URLs and email addresses.
firstname.lastname@example.org mean a lot more to us than
188.8.131.52. What DNS does is provide a mechanism for translating between human-freindly URLs and email addresses, and computer-friendly IP addresses like the two sets of numbers above. Without DNS humans can’t use the Internet!
Each time your computer sends or receives information across the Internet using a hostname, URL, or email address your computer uses your DNS server to figure out what IP address it needs to strike up a conversation with. If an attacker manages to corrupt your DNS server so that it gives back the wrong answer then they can do you a lot of harm. At the very least they can knock you off-line, but that’s by no-where near the worst of it. They can spy on your traffic, they can read your email, and they can even insert false information into the webpages you view or the emails you send and receive. A compromised DNS server leaves you wide open to phising attacks, by returning the wrong IP address for a URL the attackers can send you to their servers instead of those you’re trying to contact. What’s worse is that your address bar will read the correct URL despite the fact that you’re at a phising site! The bottom line is that if you want to defraud someone or break into their network, then controlling their DNS is a great way to start, it opens up so many possibilities!
OK, now that the magnitude of the problem has sunk in, or at least it should have if I’m any good at this, what can you do to protect yourself?
At home you probably rely on your ISP for DNS services. You now have to ask yourself the question, do you trust your ISP to do the right thing and patch quickly? In Ireland I’d suggest ‘no’ would be a wise response in many cases, and the same is probably true for many other countries. If you do trust your ISP then you’re mostly good to go for now. If not then it’s time to remove your ISP from your DNS world! There is no reason that you have to use your ISP’s DNS server. It’s probably easiest to do so, but you can use any DNS server you want. A fantastic option is to use OpenDNS which is a free service that is known not to be vulnerable to this flaw. In fact, they were never vulnerable because they run an insanely highly secured custom version of DNS that has been going above and beyond the call of duty for ages with regard to security.
The normal DNS setup at home is that your broadband router is set up as a DNS cache which contacts your ISP’s DNS servers for lookups, while the machines on your home network are configured to contact your router with DNS queries. In this case the simplest thing to do is to configure your router to use the OpenDNS servers rather than your ISP’s DNS servers. The other alternative is to configure each machine on your home network to talk directly to the OpenDNS servers, but that’s more complicated and less efficient.
Now, I did say that if you trust your ISP you’re MOSTLY off the hook. There’s a little bit more to do still, but you may not be able to do it just yet. Because DNS servers are the most critical point in the system, those are being patched first. There is also a minor threat against individual machines if they have direct internet connections (i.e. are not behind a NAT Router or similar). Microsoft have released a patch for Windows users, but Apple have not yet released one for Mac users. If you’re on Windows you’d be as well to patch now so it’s done before you forget about it. The fix was part of this week’s Windows Update patches.
At work this is one for corporate IT to fix. If you’re in management, or just worried about this, now would be a good time to ask your IT department whether or not they’re on top of this. This is actually a good test of your corporate IT department, if they don’t know about this then your organisation has a serious problem! At work we were patched well within 24 hours of the announcement. Had it not come out at 8pm local time we would have been patched even quicker. Remember, DNS is critical to your business’s operation and security, leaving this flaw un-patched is just asking for trouble!
We have not seen the last of this. The current push is for server updates, but there will be client updates too, and those will also have be applied as soon as possible. This vulnerability is likely to go down in history as a major event in the evolution of the internet, and in the development of the security industry. This is up there with the Red Alert and Blaster Worms.