World's biggest ISPs drag feet on critical DNS patch

[Gary]

"More than two weeks after security researchers warned of a critical defect in the net's address lookup system, some of the world's biggest internet service providers - including AT&T, BT, Time Warner and Bell Canada - have yet to install a patch inoculating their subscribers against attacks" And in the wild attacks are now taking place for this exploit, Ah that lovely safe and warm feeling massive corporations give when they just do not care, but smile and pretend.

Story here http://www.theregister.co.uk/2008/07/25/isps_slow_to_patch/

  You can check your DNS here to see if its safe http://www.doxpara.com/ Just press the "Check my DNS button" O2/BE came out safe thankfully for me

[Rik]

We appear to be OK.

[Gary]

We appear to be OK.

Thats good Rik, the list of providers not patched is pretty much all the major players

[Rik]

No surprises there, then.

[Inactive]

I bet I could name them.... 

[Gary]

I bet I could name them.... 

Click the El Reg link and you can see them, In but you would be right 

[Sebby]

We appear to be OK.

[Noreen]

"More than two weeks after security researchers warned of a critical defect in the net's address lookup system, some of the world's biggest internet service providers - including AT&T, BT, Time Warner and Bell Canada - have yet to install a patch inoculating their subscribers against attacks" And in the wild attacks are now taking place for this exploit, Ah that lovely safe and warm feeling massive corporations give when they just do not care, but smile and pretend.

Story here http://www.theregister.co.uk/2008/07/25/isps_slow_to_patch/

According to an update on your link BT are not among "the usual suspects".

[Rik]

That makes a change, Noreen.

[Gary]

That makes a change, Noreen.

Probably want to make sure there are no issues with Phorm, having dns redirected would ruin the plotting of users personal browsing habits

[somanyholes]

another tester

https://www.dns-oarc.net/

[Gary]

Got a big green Great on all tests

[Rik]

Two greats. Thanks, So. 

[Noreen]

Four "Greats" 

[Simon]

Six Greats! 

[Sebby]

[Gary]

I wonder why some got more green greats than others on the same network, router maybe? Exclude me I'm on be/o2 but Rik got two and Noreen 4 and Simon 6

[Inactive]

I thought that they were just adding each " 2 " on to the previous total Gary..?

[Simon]

I thought that they were just adding each " 2 " on to the previous total Gary..?

Yes, that's what I was doing.  I got 2.  Sorry for the confusion!   

[Gary]

I thought that they were just adding each " 2 " on to the previous total Gary..?

I got six greats straight off in that's why I was confused, ill re-check
*edit I got six greats on the page  , different set ups and ISP I guess

[somanyholes]

It looks like it might be down to the amount of nameservers you have specified which could be 1 or 2 or 3

each nameserver has two tests made against it

source port and transaction id

[Noreen]

I wondered about that too, Gary. I really did get four. Netgear router on IDNet.

[somanyholes]

four would be what i would expect to see.

We normally use two nameservers, which would result in 4 results. Not many people use a 3rd nameserver

[Gary]

I got 6 but maybe as its adsl2+ its different for me still odd that simon and Rik got 2, so. I'm on a netgear DG834G v4 maybe its because they use 2wire routers

[somanyholes]

how many nameservers does it list at the top of the page?

[Gary]

how many nameservers does it list at the top of the page?

Three

[somanyholes]

that explains it then

either you have inputted three name servers or the idnet system have supplied you with them automatically to your router.

[Inactive]

I got 2 " greats " with one thingie at the top.

I have another one in my living room, oh no, that is grate..   ( as in fireplace ).

[Gary]

that explains it then

either you have inputted three name servers or the idnet system have supplied you with them automatically to your router.

I am with O2/Be, So. So maybe they use three nameservers

[Gary]

I got 2 " greats " with one thingie at the top.

I have another one in my living room, oh no, that is grate..   ( as in fireplace ).

[somanyholes]

I am with O2/Be, So. So maybe they use three nameservers

Forgot about that Kill ... All makes sense now

[Gary]

Forgot about that Kill ... All makes sense now

Enlighten Me, So 

[somanyholes]

Each nameserver you have has two tests run against it (port and transaction id). So if you have 3 nameservers to use. it would provide 6 tests.

Idnet seems to use 2 nameservers hence why most people get 4 tests done against them. Make sense?

[Rik]

Any idea why I only ever get one nameserver tested, So?

[Gary]

Each nameserver you have has two tests run against it (port and transaction id). So if you have 3 nameservers to use. it would provide 6 tests.

Idnet seems to use 2 nameservers hence why most people get 4 tests done against them. Make sense?

I just thought you knew why o2/be used three nameservers, So How come Rik got 2 then if Idnet use 2 as he just asked  to quick is Rik

[Rik]

It only ever tests one per visit, Gary, which may be a function of the way Windows does DNS?

[Gary]

If it only tests one per visit how come all three were tested on mine, each time Sorry the meds have kicked in so I many now be dumber than usual

[somanyholes]

the more dns servers you have, the more redundancy you have in your network.hence why 3 nameservers are no bad thing.

Rik is your dns set locally on your machines or are they set on your router?

[Rik]

Router to pick them up automatically, So.

[somanyholes]

and how many does your router pickup?

[Rik]

Two. Though Simon D did explain to me that Windows uses them turn and turn about, so whether that has an influence on the test I don't know.

[somanyholes]

if you only have the routers ip in your windows ip config for dns that sounds about right. Is that the same for you kill?

[Rik]

I do, So.

[Gary]

[/quote]Thats the same for me, So

if you only have the routers ip in your windows ip config for dns that sounds about right. Is that the same for you kill?

Same here, So.

[esh]

I think this whole DNS patch thing got a little over-hyped. I always find it interesting how some bugs just sail past and others are everywhere in the media. That said, patching BIND is no mean feat, especially for large DNS providers. It's not just a config reload, you have to actually restart the service, and loading in the configs on some of those large servers takes a surprisingly large amount of time. The counter-argument of course is that in such scenarios you almost invariably have more than one server and hence patch one at a time, but there's still the usual "if it ain't broke..." attitude. Most responsible admins will likely patch in the next reasonable amount of downtime. It does bring to the foreground the issue of how the internet is built on several layers of trust you rarely think about -- is wikipedia.org resolving to the real site? You always assume so.

I will admit now that my DNS server is not patched (yet!), but it's internal only ...

[Gary]

I think this whole DNS patch thing got a little over-hyped. I always find it interesting how some bugs just sail past and others are everywhere in the media. That said, patching BIND is no mean feat, especially for large DNS providers. It's not just a config reload, you have to actually restart the service, and loading in the configs on some of those large servers takes a surprisingly large amount of time. The counter-argument of course is that in such scenarios you almost invariably have more than one server and hence patch one at a time, but there's still the usual "if it ain't broke..." attitude. Most responsible admins will likely patch in the next reasonable amount of downtime. It does bring to the foreground the issue of how the internet is built on several layers of trust you rarely think about -- is wikipedia.org resolving to the real site? You always assume so.

I will admit now that my DNS server is not patched (yet!), but it's internal only ...

What you say makes sense, but how come some ISP's did the patching ahead of schedule (they all knew about the issue) while others seem to have not yet bothered but had plenty of time to patch, now their are active exploits so it does smack of later when we can be bothered, and Orange, CPW etc are not known for working to fix issues on their networks fast anyway, have you ever used their DNS servers? Sadly I have had to on friends machines and resolving an address can take long enough to pop out to France have a massive shopping spree, come back cook a three course meal, go to bed wake up and voilà  you can log into your favourite site 

[somanyholes]

a few things that maybe of interest.

Some home routers are vulnerable to these attacks as well. For example the wrt54g routers that perform caching can be attacked.

Internal dns servers can still be easily abused. For example if your wired or wireless infrastructure gets hacked is some fashion attacking the internal dns servers means they can control your entire lan in no time at all.

Regardless of all the patching that is going on the dns servers are still vulnerable, instead of minutes to attack, it may take a few hours instead, so it's still not much of a problem. See here. http://www.securebits.org/dnsmre.html

[Rik]

That's right, So, cheer us up.

[somanyholes]

i aim to please

[Rik]

 

[Gary]

Ok im selling my pc and getting a years supply of sedatives to cope with the boredom

[somanyholes]

dns server patching video.. worldwide

http://security4all.blogspot.com/2008/08/dns-patching-video-watch-how-fast-dns.html

[Rik]

Fascinating. The US seemed very slow to respond.

[Gary]

Fascinating. The US seemed very slow to respond.

Its hard to move fast with a shake and a burger in your hand, Rik

[Rik]

Oh, I don't know, Gary.

[Gary]

Oh, I don't know, Gary.

[Gary]

Oh, I don't know, Gary.

Well it is fast food, Rik, So maybe it does help

[Rik]

At some point in the digestive cycle, anyway.

[Gary]

At some point in the digestive cycle, anyway.

[Sebby]

Its hard to move fast with a shake and a burger in your hand, Rik

I wouldn't know.

[Gary]

I wouldn't know.

I just don't move fast Sebby

[esh]

Looks like someone wrote some exploit code to get around the patch. Takes a lot longer now for it to work, but you know what they say, persistence is all!

[Rik]

Once more we enter the cycle of measure and counter-measure. Life used to be simpler.

[esh]

Back to using /etc/hosts then?

[Rik]

I was thinking more of carrier pigeons.

[XR219]

There is an RFC for IP via carrier pigeon... http://rfc.net/rfc2549.html 

Always best to use Open DNS for your DNS servers, much better than any ISP's 

[Sebby]

I was using OpenDNS for quite a while, then I reverted back to IDNet's and pages seemed to load much quicker. I'm not sure there's a lot in it if your ISP has good DNS', which I think IDNet do.