First published: 31st July 2008
It is probably quite difficult for anyone technical not to have noticed the recent news about the DNS cache poisoning vulnerability found by Dan Kaminsky. Suffice to say that this is a vulnerability in the server software and it is the administrators of the servers that need to fix it as soon as possible. For most users, this means their ISP has to fix it, and many have not.
How serious a problem is this for users, and how can they protect themselves? It is very serious for users, because an attacker can use the flaw to redirect them to another site - potentially very expensive, if the site in question is for online banking! Discovering whether the DNS you are using is vulnerable is as easy as going to Dan Kaminisky's blog and clicking on the button "Check My DNS". If that reports a problem, contact your ISP or system administrator and ask them to fix it. While you are waiting for the fix, you can:
- Change your computer's configuration to use the OpenDNS servers (which are 208.67.222.222 and 208.67.220.220)
- Only access "important" (i.e. your online banking, or anything else involving money) sites via SSL, and don't just check that the padlock icon is in the browser status bar, view the certificate and make sure it is valid.
Note to Robert McMillan: in the context used in your article, "owned" is normally spelt "pwn3d".
