# Is your DNS Safe from Vulnerabilities? Check here!



## DNA_Uncut

QUOTE:

SAN FRANCISCO (AFP) - Computer industry heavyweights are hustling to fix a flaw in the foundation of the Internet that would let hackers control traffic on the World Wide Web.

Major software and hardware makers worked in secret for months to create a software "patch" released on Tuesday to repair the problem, which is in the way computers are routed to web page addresses.

"It's a very fundamental issue with how the entire addressing scheme of the Internet works," Securosis analyst Rich Mogul said in a media conference call.

"You'd have the Internet, but it wouldn't be the Internet you expect. (Hackers) would control everything."

The flaw would be a boon for "phishing" cons that involve leading people to imitation web pages of businesses such as bank or credit card companies to trick them into disclosing account numbers, passwords and other information.

Attackers could use the vulnerability to route Internet users wherever they wanted no matter what website address is typed into a web browser.

Security researcher Dan Kaminsky of IOActive stumbled upon the Domain Name System (DNS) vulnerability about six months ago and reached out to industry giants including Microsoft, Sun and Cisco to collaborate on a solution.

DNS is used by every computer that links to the Internet and works similar to a telephone system routing calls to proper numbers, in this case the online numerical addresses of websites.

On Tuesday the US Computer Emergency Readiness Team (CERT), a joint government-private sector security partnership, issued a warning to underscore the serious of so-called DNS "cache poisoning attacks" the vulnerability could allow.

"An attacker with the ability to conduct a successful cache poisoning attack can cause a nameserver's clients to contact the incorrect, and possibly malicious, hosts for particular services," CERT said.

"Consequently, web traffic, email, and other important network data can be redirected to systems under the attacker's control."

"People should be concerned but they should not be panicking," Kaminsky said. "We have bought you as much time as possible to test and apply the patch. Something of this scale has not happened before."

http://news.yahoo.com/s/afp/usitinternetsoftwarecrime

kaminsky built a web page, www.doxpara.com where people can find out whether their computers have the DNS vulnerability.

I'm using Open DNS


> Your name server, at 208.67.xxx.xx, appears to be safe.


----------



## MikeSwim07

Mine says its vulnerable. What do I do?


----------



## JohnWill

Contact your ISP, since they're the ones that manage your DNS for any home user.


----------



## tomdkat

Looks like the DNS I use with Comcast passed as well:



> Your name server, at Sat Jul 12 01:49:13 2008, appears to be safe, but make sure the ports listed below aren't following an obvious pattern.


:up:

Peace...


----------



## Jack1000

I passed also.

Jack


----------



## MikeSwim07

Now mine is safe, withot even contacting the ISP. I guess they fixed it on its own.


----------



## Cookiegal

This vulnerability was patched by the updates released last Tuesday so that would be why it didn't pass and then it did.


----------



## MikeSwim07

Ohh Thanks Cookiegal


----------



## Cookiegal

You're welcome.


----------



## grandma77

I have comcast and this is what it said:

Your name server, at 68.87.64.147, may be safe, but the NAT/Firewall in front of it appears to be interfering with its port selection policy. The difference between largest port and smallest port was only 329. 
Please talk to your firewall or gateway vendor -- all are working on patches, mitigations, and workarounds. 

I have comodo firewall...is it doing something wrong? Is there something I need to do? Remember I am kind of computer illiterate so I have no idea what this means.

I tried it again after about 10 minutes and this is the message I received: 
Your name server, at 68.87.64.149, appears to be safe, 
but make sure the ports listed below aren't following an obvious pattern. 
--------------------------------------------------------------------------------
Requests seen for 3797ba1e70a4.toorrr.com:
68.87.64.149:18064 TXID=23250
68.87.64.149:18260 TXID=18362
68.87.64.149:17514 TXID=17351
68.87.64.149:18248 TXID=31111
68.87.64.149:17759 TXID=9375 

I wouldn't know if there was a pattern or not...how would I find that out???


----------



## Cookiegal

Are you using Comodo's default settings?

Try disabling Comodo and turning the Windows firewall back on and take the test again to see what the result will be.


----------



## grandma77

I disabled comodo and turned on windows firewall as you suggested and here are the results from that test.

Your name server, at 68.87.64.148, may be safe, but the NAT/Firewall in front of it 
appears to be interfering with its port selection policy. The difference between largest port 
and smallest port was only 445. 
Please talk to your firewall or gateway vendor -- all are working on patches, mitigations, 
and workarounds 

Looks like it is doing the same thing as comodo but the difference is a little larger.

I checked again about 5 minutes later and I got this response: 
Your name server, at 68.87.64.149, appears to be safe, 
but make sure the ports listed below aren't following an obvious pattern. 
--------------------------------------------------------------------------------
Requests seen for ad8313f86ac0.toorrr.com:
68.87.64.149:18331 TXID=46880
68.87.64.149:17791 TXID=11993
68.87.64.149:18296 TXID=21144
68.87.64.149:18056 TXID=47654
68.87.64.149:17555 TXID=35755


----------



## Cookiegal

I don't know what to make of that. I'll see if JohnWill can shed some light on it for us.


----------



## grandma77

I did this check with DNS.NET for Comcast.net and these were the results...

CheckDNS.NET is asking root servers about authoritative NS for domain 
Got DNS list for 'comcast.net' from a.gtld-servers.net 
Found NS record: dns101.comcast.net[68.87.64.204], was resolved to 
IP address by a.gtld-servers.net 
Found NS record: dns102.comcast.net[68.87.66.204], was resolved to 
IP address by a.gtld-servers.net 
Domain has 2 DNS server(s)

CheckDNS.NET is verifying if NS are alive 
DNS server dns101.comcast.net[68.87.64.204] is alive and authoritative 
for domain comcast.net 
DNS server dns102.comcast.net[68.87.66.204] is alive and authoritative 
for domain comcast.net 
2 server(s) are alive

CheckDNS.NET checks if all NS have the same version 
All 2 your servers have the same zone version 2007111842

CheckDNS.NET verifies www servers 
DNS round-robing with multiple web servers detected 
Checking HTTP server www.comcast.net [80.228.31.24] 
HTTP server www.comcast.net[80.228.31.24] answers on port 80 
Received: HTTP/1.1 200 OK . Comcast.net Home. . . 
Checking HTTP server www.comcast.net [80.228.31.23] 
HTTP server www.comcast.net[80.228.31.23] answers on port 80 
Received: HTTP/1.1 200 OK . Comcast.net Home. . .

CheckDNS.NET tests mail-servers 
Domain comcast.net has 2 mail-servers. 
Checking mail server (PRI=5) mx1.comcast.net [76.96.62.116] 
Mail server mx1.comcast.net[76.96.62.116] answers on port 25 
<<< 554 IMTA14.westchester.pa.mail.comcast.net comcast 195.60.98.252 Comcast requires that all mail servers must have a PTR record with a valid Reverse DNS entry. Currently your mail server does not fill that requirement. For more information, refer to: http://www.comcast.net/help/faq/index.jsp?faq=SecurityMail_Policy18784 
--While speaking to mx1.comcast.net [76.96.62.116] received status 554 instead of 220 
Checking mail server (PRI=5) mx2.comcast.net [76.96.30.116] 
Mail server mx2.comcast.net[76.96.30.116] answers on port 25 
<<< 554 IMTA23.emeryville.ca.mail.comcast.net comcast 195.60.98.252 Comcast requires that all mail servers must have a PTR record with a valid Reverse DNS entry. Currently your mail server does not fill that requirement. For more information, refer to: http://www.comcast.net/help/faq/index.jsp?faq=SecurityMail_Policy18784 
--While speaking to mx2.comcast.net [76.96.30.116] received status 554 instead of 220 
--Some of your MX do not work properly

It is all confusing to me but it makes it look like there is some kind of problem with comcast mail...am I looking at it right? Do I send this to comcast to let them know?


----------



## tomdkat

grandma77 said:


> I have comcast and this is what it said:
> 
> Your name server, at 68.87.64.147, may be safe, but the NAT/Firewall in front of it appears to be interfering with its port selection policy. The difference between largest port and smallest port was only 329.
> Please talk to your firewall or gateway vendor -- all are working on patches, mitigations, and workarounds.





grandma77 said:


> I did this check with DNS.NET for Comcast.net and these were the results...


I'm also a Comcast Internet service customer and I got the same results as you. I'm running on Linux with no firewall configured on the machine and whatever firewall is in the Netgear WGR614 v7 wireless router I'm using.

Peace...


----------



## JohnWill

It's not a problem. Those ports don't follow an obvious pattern, at least to me.  The only way to test this and not get ambiguous results is to eliminate the router from the connection. Here's what I get with Verizon.

Your name server, at 71.242.0.38, may be safe, but the NAT/Firewall in front of it appears to be interfering with its port selection policy. The difference between largest port and smallest port was only 47.

Please talk to your firewall or gateway vendor -- all are working on patches, mitigations, and workarounds.
Requests seen for 05dc641ffc17.toorrr.com:
71.242.0.38:45488 TXID=44489
71.242.0.38:45517 TXID=19628
71.242.0.38:45481 TXID=47663
71.242.0.38:45528 TXID=9043
71.242.0.38:45486 TXID=43944


----------



## Cookiegal

Thanks John. :up:


----------



## grandma77

Thanks John, if it isn't a problem for you ... then it isn't a problem for me...I know you understand this stuff much better than I do.


----------



## JohnWill

No problem.


----------

