Monday, August 11, 2008

Serious DNS Vulnerability (Kaminsky) Can Affect Email Services

Hello All,

This is the beginning of shorter posts, but more often.

This recently released serious DNS vulnerability (found by Kaminsky) can affect email services, so while hackers are spoofing DNS for web site attacks, the same could be done for email attacks. See the US-Cert for an overview of the issue. This effects dozens of DNS implementations including Windows DNS.

Official US-Cert Posting on the DNS Vulnerability
http://www.kb.cert.org/vuls/id/800113

An Illustrated Guide to the Problem
http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html

There is some discussions about what the best approach is to fix it (e.g. DNSSEC, increase Query ID, randomize the source port, IPv6, SSL, etc). So, it at the moment, the easiest fix is increase the query ID and randomize the source port. For your servers, use (at least for Windows Server DNS), the root based hints included in the operating system. "Man in the middle" attacks are a lot more common and dangerous than people realize, hence why I prefer using my EVDO card than some random WiFi hotspot. Stay safe.

-Ben

No comments: