25 September, 2008

Is your ISP keeping you safe?

Recently a new vulnerability was found in the core of the web surfing systems... the DNS server. The DNS server, short for Domain Name System, is used to translate a websites URL to a websites ip address, the addressing system of the Internet, so your web browser can find the website you are looking for.

In order to manage the load of users, there are many, many DNS servers. In fact DNS is provided by ISPs -- either their own or third party systems that they have paid for -- so when you connect through your ISP, you can find the website you want. When the DNS you connect to cannot find a website, it will contact another DNS server to update its records. Likewise, websites will have DNS servers to tell other DNS servers what ip addresses are required for their website.

Here's the problem at hand. It has been figured out how a hacker could tell a DNS server a wrong ip address, when the DNS server is updating its records. It does this through forcing the server to ask for a new update from another DNS server, and then responding back first, posing as the queried server. This is called poisoning the DNS server. By providing the incorrect ip address, the web surfer looking for a website could be redirected to a fake website that looks like the site they wanted.

So to finish the hack, after the hacker "poisons" the DNS server the hacker has to have fake website posing as the real one. When you, the web surfer, logs into the "fake" website, the hacker can capture your username and password for the real site. Imagine the problem if this "fake" site was posing as your bank.

This was such a big deal in the Internet administration community and they did a great job keeping it quiet until they had a fix available -- something not know to happen to often. All the major DNS server providers for the Internet backbone and major sites have patched themselves at the same time this was announced. It is such abig deal, it is posted on the U.S. Homeland Security website. Unfortunately, not all ISPs have patched their systems. If an unpatched DNS is providing service to you, that means you are at risk.

Fortunately, there are tests available to see if your DNS is vulnerable or not. Here's a test from DNS-OARC. The test looks at two parts of the DNS server called source port and transaction ID. The test is essentually looking to see how random is your DNS system. If the vulnerable DNS servers are predictable, the hacker can beat the queried DNS server to the response (which creates the poisoned record). In the image we can see what a failed test might look like, with sequential ports being used on the DNS server -- sequential ports are predictable; random are not.
Use this test yourself (just click the Test My DNS button) to see if your DNS server is safe. If not, report it to your ISP -- if they don't change, perhaps a new ISP is in order. Another option to leaving your ISP is to use OpenDNS. I wrote about this in a prior post, Faster and more reliable web surfing with OpenDNS. Depending on your ISP, you may have to configure each PC to use open DNS; for others, you can just program it within your router.

No comments: