Home > Security > 13>0


Patch.  Today.  Now. Yes, stay late.  Yes, forward to OpenDNS if you have to.  (They’re ready for your traffic.)  Thank you to the many of you who already have.

Categories: Security
  1. Out
    July 21, 2008 at 3:43 pm

    Thanks Dan! Keep up the good work.

  2. Jeff
    July 21, 2008 at 3:53 pm

    Is it fair to say the sudden urgency is in response to Halver Flake?

  3. silky
    July 21, 2008 at 4:24 pm

    No probably it’s related to the screwup by matasano

  4. July 21, 2008 at 4:44 pm

    What’s with the secrecy? The bad guys in all likelihood already knew about this! It does not take a genius to know this if you read the relevant code, especially after an advisory is out!

  5. July 21, 2008 at 4:58 pm

    Does your subject line mean thirteen *days* is better than zero?


  6. July 21, 2008 at 5:27 pm

    The cat has been out of the bag the entire time.

    Just because you don’t observe the cat does not mitigate its existence.

    The cat both exists inside and outside of the bag.
    The bag is your mind.

    Update the bag, Dan. -Tony Azzolino’s ghost.

  7. Andrew Dalgleish
    July 21, 2008 at 7:55 pm

    do NOT blindly start using OpenDNS until you understand all the consequences

    They don’t return NXDOMAIN for non-existant domains.

  8. July 21, 2008 at 9:26 pm

    At least there wasn’t any code to go with the explanation.

    Also, I want to thank you SCO for providing such useful information about whether this vulnerability affects their BIND implementation.

  9. Arthur
    July 21, 2008 at 11:49 pm

    I’ve got to second Andrew Dalgleish: Do not use OpenDNS if you don’t know what you’re doing. There won’t be NXDOMAIN returns breaking spam filters and other applications on your server and it will show advertising to your unsuspecting users.

    *Do* fix your nameservers. Upgrade, disable recursion etc.

  10. July 22, 2008 at 1:55 am

    Is it just me, or is the checker broken? I keep getting a message that /printme.html is not found on the site. That seems to be a 404… Something hacked or mislaid?

  11. July 22, 2008 at 4:35 am

    Thanks lieutenant Dan!

    .. sorry, could not resist, its my nature, I can’t help it.

    I was thinking of some way to `responsibly’ report this, I came up with jack shit.

    Anyway, thanks again.

  12. Martin
    July 22, 2008 at 5:10 am

    You can enable NXDOMAIN returns on OpenDNS, just register your IP/subnet and disable typo correction. Why are so many people believing otherwise without checking? For what it is worth I opened an incident the day the word spread with my provider about their DNS not being patched and nothing changed so OpenDNS here I come.

  13. Ben T
    July 22, 2008 at 5:13 am

    For my little spot of cyberspace I do the following:
    1. I run a local dns server that randomizes source ports whose network facing NAT does not derandomize source ports.
    2. My local server resolves through the root servers. The queries are sent to a random root.
    3. I limit my dns server to strictly use TCP queries and not to use UDP for queries.

    Hopefully, this works for me and that this or something else works for you.

  14. mm
    July 22, 2008 at 5:32 am

    this attack been in the wild for like 10 years 🙂
    I mean, who didn’t notice, our little blahblah.microsoft.com iamandidiot.microsoft.com etc poisons? guess what the attack was. here you go.

    but to the real solution: dnssec!

  15. baggedcat
    July 22, 2008 at 6:15 am

    The entire idea that the cat was ever in a bag here is just a total farce. 13 days??? Halvar was more correct when he hypothesized N=4 and N=N/4 for the motivated.

    The idea that somehow the “open” researcher has the monopoly on this stuff is quite near-sighted.

    If Dan really cared about the security of DNS he would have never announced this.

  16. July 22, 2008 at 8:12 am

    OpenDNS will be the only DNS who will be used? Then we can have a nice statistic regarding the domains we are visiting?
    So alot of people will know what we like and so on …. ?
    This is the solving issue to a big flaw in DNS implementation : use OpenDNS ?

  17. July 22, 2008 at 8:30 am

    You mean….do what you were supposed to do in the first place? 🙂

  18. TSW
    July 22, 2008 at 8:41 am

    Hmmm… advertising to my users that type a bad address vs. undetectable phishing attacks. Yeah, I think I’ll deal with OpenDNS until our ISP pulls their head out of their ass.

  19. L. Taylor
    July 22, 2008 at 10:18 am

    Rudd-O says “if you read the relevant code, you know how to exploit it.”

    The patch makes DNS more secure in a general way.

    To exploit an insecure server, you have to hit a window in time when it is vulnerable. In normal operation, that isn’t very predictable.

    … but what if someone finds a way to create more windows of vulnerability?

    As much as I want the precise details, I’m grateful for the secrecy. We needed time to develop a patch for our (non-BIND, non-Microsoft) DNS server and deploy it.

    Thanks to Dan, we had the time to do that, and get it deployed, before some of the details leaked.

  20. July 22, 2008 at 5:14 pm

    ZoneEdit seems to have been affected by the exploit. All of my DNS hosted with them (which is thankfully little these days as I run my own, patched, DNS) is now pointing elsewhere. Good motivation to move everything to my own systems.

  21. July 22, 2008 at 6:43 pm

    by the way,I’m the friends who is come from china.

  22. Jeff
    July 22, 2008 at 7:00 pm

    Mr. Kaminsky,

    If you and other bright individuals really want to help, you should whip up a utility for users to poke their ISPs for the vulnerability. We have seen similar utilities to test for P2P throttling recently.

    I’m with a small town ISP and from past experience with other issues, I just know they haven’t patched this. Subscribers are the ultimate victim and target of these fraudsters, how about helping us help ourselves?

  23. x
    July 22, 2008 at 7:15 pm

    DNS Checker
    When will it be checking my website by IP address instead of by my internet connection, since the two of them are not even by the same company…

  24. D2
    July 22, 2008 at 9:57 pm

    What about RFC2827 again as things like spoofing protection, uRPF, FW-extensions, tracking UDP-state, HIPS looking at floods from single SRC IP would all help to address attacks on ISPs and Enterprises. Essentially one must spoof the authoratative NS SRC IP for this to work right?

    Sure you have to initiate the lookup via iframes/image tags/SPAM or compromised hosts to start the race in the first place, but with some form of ‘state’ and good filtering this shouldn’t be *such* an issue. Network configs can buy time to addess patching…. TIME is still the issue, both the start time and the response time…

    Maybe I am missing something. Maybe not.

  25. OpenVMS AXP
    July 23, 2008 at 1:05 am

    FWIW, I suspect this flaw was discovered and being exploited some time ago. I recall seeing something similar to the “cat out of the bag” pattern in a DNS server cache.

  26. Patricia Lopez
    July 23, 2008 at 6:15 am

    From Spain: thanks Don!

  27. July 23, 2008 at 7:29 am

    How has this been open since the early 90’s. Are there teams of scientists, web developers, and even hackers who pour through Web infrastructure? I was a software code writer in the early 90’s but didn’t think anyone would pay for such services. D’oh! But seriously, what else is out there waiting for exploitation?

  28. July 23, 2008 at 7:46 am

    I think that the text of the checker needs to be changed. It currently says: “All requests came from the following source port: 19446
    Do not be concerned at this time. IT administrators have only recently been apprised of this issue, and should have some time to safely evaluate and deploy a fix.” The warning should probably be a little more insistent 😦

  29. Thanh
    July 23, 2008 at 10:11 am

    Thank you for your research. We are really appreciate it.

  30. Steve
    July 23, 2008 at 11:38 am

    “I keep getting a message that /printme.html is not found on the site. That seems to be a 404…” This typically happens on hosts that have IPv6 enabled in their web browser and you’re running a web server on your own computer. I think the problem is that one of the test site CNAMEs resolves to ::1, which is the IPv6 localhost.

  31. Rob Funk
    July 23, 2008 at 2:15 pm

    Covad has yet to fix this on their DNS servers (at least the ones they assigned to us), despite a phone call and email to their abuse team. 😦

    OpenDNS not only doesn’t return NXDOMAIN, but a lookup of http://www.google.com returns a CNAME google.navigation.opendns.com. I expected their no-NXDOMAIN stuff, but I don’t expect them to hijack Google.

  32. July 23, 2008 at 2:26 pm

    As a workaround, it is recommended to set DNS
    servers to forward only. Can someone explain why
    that helps? Cannot responses from the forwarder be
    spoofed same as normal query responses? Is it that
    “glue RRs” from forwarders are discarded; or that
    source ports of forwarded requests are better
    randomized than normal queries; or that forwarding
    is done with TCP not UDP?

    The “published attack” has ns.victim.com spoofed.
    That does not affect a server set to forward only.
    Could the attacker spoof login.victim.com
    directly, and would not that affect a forward only
    server equally?

  33. Dave
    July 23, 2008 at 4:01 pm

    Tested from an iPhone… NS – Vunerable

  34. tonyn
    July 23, 2008 at 7:24 pm

    :Tested from an iPhone… NS – Vunerable

    You are not really testing the iPhone, the “DNS server you use” belongs to your phone company. (Your iPhone asks the phone company’s systems for DNS information, and they talk to the computer doing the test.)

    FYI The ip address belongs to Cingular.

    I prefer the test at DNS-ORAC to Dan’s; it lists the names it finds for the IP server that talks to it. (I.e. it would mention Cingular on the results page.) It also draws pretty graphs of how secure it thinks you are:


  35. July 23, 2008 at 7:25 pm

    Non-recursing nameservers discard glue RRs. Or at least they should, anyway! (If the recursive bit is set in the query – asking the queried nameserver to do recursion – then it would make sense not to even include glue in the response, but of course a spoofed response could, so we need to ignore/discard glue, not just assume it’s not there.)

  36. tonyn
    July 23, 2008 at 7:59 pm

    @Paul Szabo
    :Cannot responses from the forwarder be
    spoofed same as normal query responses?

    Your forwarding DNS server is talking to recursing DNS server, probably at your ISP.

    An attacker wanting to commit fraud is motivated to get lots of visitors to their auction/shopping/… site/proxy – so that they can gather lots credit card & social security numbers. So the ISP systems are the obvious target.

    Presuming the ISP has fixed their systems the attackers are left with targeting those users who run their own vulnerable recursing DNS servers.

    The recursing bit is important, as it means the DNS system is talking to servers outside the ISP. The ISP can probably not distinguish between valid & falsified responses from those servers.

    A forwarding DNS only talks to the ISP’s server. It is very hard for an attacker to target this, because ISP normally throws away data at the border from external networks claiming to come from an address inside. So faked responses are unlikely to reach you.

    Forwarding to OpenDNS is less secure, as fake replies can pretend to come from the OpenDNS server. However the attacker cannot normally be sure of the details of your DNS system such as, recently used port number(s), recent identification numbers, or even which IP address to send to. So the attack is much harder than before.


  37. July 24, 2008 at 3:29 am

    Thanks Dan,

  38. lenetwizz
    July 24, 2008 at 4:35 am

    now the TIGER is out of the bag…

    METASPLOIT published 12 hours ago the source code for the exploit…


    I will attend to DAKAMI webcast tonight and I will be there in Vegas to hear about this;

    Yes 13>,0 but I am very disappointed that patching was not done on many servers because of summer time, and “we do not believe it” arrogant behaviour of some IT people.

    Now the exploit is available since few hours… In France we experienced last night the first consequence as the french railway on line and intranet ticketing system collapsed for half a day.

    I’m very happy of this because finally they will all hear the word “PATCH”

    A grat supporter of you DAKAMI,

    Mauro “lenetwizz”

  39. jungle
    July 24, 2008 at 9:56 am

    I’m confused about the DNS Checker.

    It always reports about a DNS server at (toorrr.com), which I don’t use. In fact, changing my DNS settings or switching ISPs has no efect.

    According to whois, toorrr.com belongs to Dan Kaminsky.

    What am I missing here?

  40. jungle
    July 24, 2008 at 10:04 am

    Oh, I see the IP is from OpenDNS. More confusion. Anyway, the test at dns-oarc.net works much better.

  41. Anand Das
    July 24, 2008 at 10:06 am

    Thanks Dan, Keep up the good work.

  42. July 24, 2008 at 10:47 am

    Dan, I put a question out there and was wondering your take on it.

    Thanks for the great work on all this too!

    Debbie Mahler
    MICE Training & Education

  43. July 24, 2008 at 11:43 am

    We use managed DNS service provide. Are we, as an organization, vulnerable?

  44. Arthur
    July 24, 2008 at 1:35 pm

    @Pacman: If your DNS service provider is vulnerable so are you. Try the tool at https://www.dns-oarc.net/oarc/services/dnsentropy from a computer which uses your DNS service provider to check for the vulnerability.

  45. July 24, 2008 at 7:11 pm

    Wait, how can you trust these DNS validator? I mean, if your DNS has been poisoned, what better target than these validators? You could be redirected to a mock-up page that says everything is A-OK.

  46. chris
    July 24, 2008 at 9:38 pm

    can you explain what, if any, problems would be if my ports aren’t following an obvious pattern

  47. July 25, 2008 at 12:14 am

    Could you please explain how to determine whether one’s ports are following an obvious pattern, and what remedial action to take? Thanks!

  48. Arthur
    July 25, 2008 at 7:19 am

    @Niles Gibbs: The one I’ve linked to uses TLS. Your browser warns you if there’s a self signed or invalid certificate. But you naturally have to trust the test itself…


    @chris: If your ports aren’t following an obvious pattern, everything’s all right. If they *do* follow a predictable pattern something is wrong.

  49. Liz
    July 26, 2008 at 2:51 pm

    Gee, this is scary. Especially because my DNS results are rather inconclusive.

  50. Peter A Lundeen
    July 26, 2008 at 3:07 pm


  51. cliff
    July 26, 2008 at 5:34 pm


  52. Mark
    July 26, 2008 at 5:57 pm

    Thanks, Dan – and NPR.

  53. July 26, 2008 at 6:03 pm

    DNS Checker: no apparent problem but ports could be construed as obvious patter.

    Much Thanks.

  54. July 26, 2008 at 6:06 pm

    No, sorry there not. 🙂

  55. Pat
    July 27, 2008 at 9:21 am

    Thanks, Dan–to you and to NPR.

  56. Leslie
    July 27, 2008 at 4:05 pm

    Thanks, Dan and NPR for running the story.

  57. Olga
    July 29, 2008 at 12:25 am

    I hate rogers.

  58. July 29, 2008 at 9:15 pm

    OK, OpenDns.

  59. July 30, 2008 at 4:13 am

    I heard your radio interview on NPR, got excited, went to OpenDNS and downloaded/installed it. Two days later I read in the knowledge base that HughesNet people CANNOT use OpenDNS. All that for nothing. I just wanted this put into your Blog so people would know…

  60. techgeek
    July 31, 2008 at 6:17 pm

    Your name server, at XXXXXXXXXX, appears vulnerable to DNS Cache Poisoning.
    All requests came from the following source port: XXXX

    This rogers canada

  61. Daniel Martin
    August 2, 2008 at 7:39 am

    This exploit has been out how long, and most isps haven’t updated, including my own. Thankgod for opendns. Wowway sucks.

  62. Evalyn Gossett
    August 4, 2008 at 8:51 pm

    Thank you for your work and sharing it.

  63. John
    August 5, 2008 at 10:13 am

    I am concerned about this DNS checker, I have patched my servers but it still says I am vulnerable. Is anyone else seeing this?

  64. August 6, 2008 at 12:13 am

    Thk U, nice ap.

  65. August 10, 2008 at 10:07 pm

    According to this website (http://tservice.net.ru/~s0mbre/blog/devel/networking/dns/2008_08_08.html), the DNS flaw is inadequate. What is your reaction? Is it really feasable? Are we in even more danger now that this new exploit exists?

  66. jeff
    August 13, 2008 at 11:26 pm

    thanks mate 8)

  67. Avoid OpenDNS
    August 28, 2011 at 10:03 am

    It’s a myth that OpenDNS provides a solid DNS service. In fact, they spy at you and track your Internet activity; and sell the data collected. Also, if you use remote desktop sevice to connect to a remote server, you’ll get disconnected frequently because of the OpenDNS redirect/relay system. So, you better use your ISP, a real DNS service such as the one provided by Level3, or you set up your own DNS server.

  1. July 21, 2008 at 3:49 pm
  2. July 21, 2008 at 4:03 pm
  3. July 21, 2008 at 5:07 pm
  4. July 21, 2008 at 7:55 pm
  5. July 21, 2008 at 9:36 pm
  6. July 22, 2008 at 2:19 am
  7. July 22, 2008 at 3:39 am
  8. July 22, 2008 at 6:10 am
  9. July 22, 2008 at 7:30 am
  10. July 22, 2008 at 8:12 am
  11. July 22, 2008 at 10:02 am
  12. July 22, 2008 at 10:52 am
  13. July 22, 2008 at 12:52 pm
  14. July 22, 2008 at 6:28 pm
  15. July 22, 2008 at 7:44 pm
  16. July 22, 2008 at 7:58 pm
  17. July 22, 2008 at 8:21 pm
  18. July 23, 2008 at 1:48 am
  19. July 23, 2008 at 1:52 am
  20. July 23, 2008 at 2:29 am
  21. July 23, 2008 at 2:38 am
  22. July 23, 2008 at 1:52 pm
  23. July 23, 2008 at 7:23 pm
  24. July 24, 2008 at 4:03 am
  25. July 24, 2008 at 8:43 am
  26. July 24, 2008 at 9:33 am
  27. July 24, 2008 at 3:39 pm
  28. July 25, 2008 at 2:46 pm
  29. July 25, 2008 at 7:22 pm
  30. July 26, 2008 at 7:40 am
  31. July 26, 2008 at 5:57 pm
  32. July 28, 2008 at 3:40 pm
  33. July 28, 2008 at 8:44 pm
  34. August 1, 2008 at 3:00 pm
  35. August 1, 2008 at 3:07 pm
  36. August 1, 2008 at 3:18 pm
  37. August 1, 2008 at 3:34 pm
  38. August 1, 2008 at 8:27 pm
  39. August 2, 2008 at 12:03 am
  40. August 3, 2008 at 10:19 pm
  41. August 3, 2008 at 10:51 pm
  42. August 4, 2008 at 6:16 am
  43. August 4, 2008 at 7:38 am
  44. August 5, 2008 at 3:11 am
  45. August 5, 2008 at 9:04 am
  46. August 6, 2008 at 7:26 am
  47. August 11, 2008 at 3:19 pm
  48. August 16, 2008 at 4:17 am
  49. August 26, 2008 at 1:46 pm
  50. December 17, 2008 at 1:54 pm

Leave a Reply to Liz Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: