I'm starting a thread about something that I don't really understand. Maybe Sparky or others can add to it. In any case, I've read today that there's a major flaw with the DNS system and that hosts need to add a patch to make sure sites don't get exploited via nameservers.

http://news.cnet.com/8301-1009_3-10004267-83.html

So... hosting companies, have you added this patch?

Hosting companies are less affected by this than your broadband/dialup ISP. Our servers are authoritative to the outside world -- meaning that an end-user wouldn't normally be using our servers to look up their bank, google, yahoo, etc. Because of that, even if we ran the older DNS software that was able to be spoofed, only people using our nameservers for their dns resolution would be affected. Answering authoritatively for domain names that are hosted on our nameservers would be unaffected.

Now, there is an interesting vector that was exploited the other day:

DNS attack writer victim of his own creation (http://www.pcworld.com/businesscenter/article/149126/dns_attack_writer_a_victim_of_his_own_creation.html)

However, I would bet that most of the hosting companies have upgraded their dns within days of the initial announcement. Some possibly were already running powerdns which was unaffected.

Even though most of the unmanaged servers are running nameservers, again, since very few people other than the local machine would be using that server as a resolver, it is unlikely that they would be affected.

To give you an idea how the attack works, basically, its a race between the good guy and the bad guy. You request to go to google.com, you ask your ISP for the IP address, the bad guy is flooding your ISP's nameserver with answers for google.com using this bug which severely limits the guesswork required to inject the bad data. There is a possibility that you'll get the right answer, but, there's a reasonable chance you'll get the wrong answer.

A simple test to see if the resolver you are using is exploitable is to use this dns test (http://entropy.dns-oarc.net/test/)

Ideally you'll see Great Source Port Randomness and Great Transaction ID Randomness. Just because you don't see both as Great doesn't mean that your resolver is necessarily exploitable. There are certain network architectures that some of the larger ISPs use that will skew the test.

AT&T still appears to be a major laggard in updating their servers, and, is the one affected in the article linked above. AT&T also supplies the dns resolvers for all of the iphone's recently turned on.

If your current ISP appears to be unpatched, you can always use opendns.com's resolvers which run their enterprise version of powerdns which was unaffected by the bug.

Ya...OpenDNS (http://www.opendns.com/) is recommended if your a little worried... |goodidea

OK, thanks for your reply Sparky that clears things up a bit. My ISP is officially "great."
:)