World's biggest ISPs drag feet on critical DNS patch

[Gary]

how many nameservers does it list at the top of the page?

Three

[somanyholes]

that explains it then

either you have inputted three name servers or the idnet system have supplied you with them automatically to your router.

[Inactive]

I got 2 " greats " with one thingie at the top.

I have another one in my living room, oh no, that is grate..   ( as in fireplace ).

[Gary]

that explains it then

either you have inputted three name servers or the idnet system have supplied you with them automatically to your router.

I am with O2/Be, So. So maybe they use three nameservers

[Gary]

I got 2 " greats " with one thingie at the top.

I have another one in my living room, oh no, that is grate..   ( as in fireplace ).

[somanyholes]

I am with O2/Be, So. So maybe they use three nameservers

Forgot about that Kill ... All makes sense now

[Gary]

Forgot about that Kill ... All makes sense now

Enlighten Me, So 

[somanyholes]

Each nameserver you have has two tests run against it (port and transaction id). So if you have 3 nameservers to use. it would provide 6 tests.

Idnet seems to use 2 nameservers hence why most people get 4 tests done against them. Make sense?

[Rik]

Any idea why I only ever get one nameserver tested, So?

[Gary]

Each nameserver you have has two tests run against it (port and transaction id). So if you have 3 nameservers to use. it would provide 6 tests.

Idnet seems to use 2 nameservers hence why most people get 4 tests done against them. Make sense?

I just thought you knew why o2/be used three nameservers, So How come Rik got 2 then if Idnet use 2 as he just asked  to quick is Rik

[Rik]

It only ever tests one per visit, Gary, which may be a function of the way Windows does DNS?

[Gary]

If it only tests one per visit how come all three were tested on mine, each time Sorry the meds have kicked in so I many now be dumber than usual

[somanyholes]

the more dns servers you have, the more redundancy you have in your network.hence why 3 nameservers are no bad thing.

Rik is your dns set locally on your machines or are they set on your router?

[Rik]

Router to pick them up automatically, So.

[somanyholes]

and how many does your router pickup?

[Rik]

Two. Though Simon D did explain to me that Windows uses them turn and turn about, so whether that has an influence on the test I don't know.

[somanyholes]

if you only have the routers ip in your windows ip config for dns that sounds about right. Is that the same for you kill?

[Rik]

I do, So.

[Gary]

[/quote]Thats the same for me, So

if you only have the routers ip in your windows ip config for dns that sounds about right. Is that the same for you kill?

Same here, So.

[esh]

I think this whole DNS patch thing got a little over-hyped. I always find it interesting how some bugs just sail past and others are everywhere in the media. That said, patching BIND is no mean feat, especially for large DNS providers. It's not just a config reload, you have to actually restart the service, and loading in the configs on some of those large servers takes a surprisingly large amount of time. The counter-argument of course is that in such scenarios you almost invariably have more than one server and hence patch one at a time, but there's still the usual "if it ain't broke..." attitude. Most responsible admins will likely patch in the next reasonable amount of downtime. It does bring to the foreground the issue of how the internet is built on several layers of trust you rarely think about -- is wikipedia.org resolving to the real site? You always assume so.

I will admit now that my DNS server is not patched (yet!), but it's internal only ...

[Gary]

I think this whole DNS patch thing got a little over-hyped. I always find it interesting how some bugs just sail past and others are everywhere in the media. That said, patching BIND is no mean feat, especially for large DNS providers. It's not just a config reload, you have to actually restart the service, and loading in the configs on some of those large servers takes a surprisingly large amount of time. The counter-argument of course is that in such scenarios you almost invariably have more than one server and hence patch one at a time, but there's still the usual "if it ain't broke..." attitude. Most responsible admins will likely patch in the next reasonable amount of downtime. It does bring to the foreground the issue of how the internet is built on several layers of trust you rarely think about -- is wikipedia.org resolving to the real site? You always assume so.

I will admit now that my DNS server is not patched (yet!), but it's internal only ...

What you say makes sense, but how come some ISP's did the patching ahead of schedule (they all knew about the issue) while others seem to have not yet bothered but had plenty of time to patch, now their are active exploits so it does smack of later when we can be bothered, and Orange, CPW etc are not known for working to fix issues on their networks fast anyway, have you ever used their DNS servers? Sadly I have had to on friends machines and resolving an address can take long enough to pop out to France have a massive shopping spree, come back cook a three course meal, go to bed wake up and voilà  you can log into your favourite site 

[somanyholes]

a few things that maybe of interest.

Some home routers are vulnerable to these attacks as well. For example the wrt54g routers that perform caching can be attacked.

Internal dns servers can still be easily abused. For example if your wired or wireless infrastructure gets hacked is some fashion attacking the internal dns servers means they can control your entire lan in no time at all.

Regardless of all the patching that is going on the dns servers are still vulnerable, instead of minutes to attack, it may take a few hours instead, so it's still not much of a problem. See here. http://www.securebits.org/dnsmre.html

[Rik]

That's right, So, cheer us up.

[somanyholes]

i aim to please

[Rik]