Virginia Commonwealth University

Make it real.

The cat’s out of the bag – DNS flaw details revealed

On July 9th security researcher Dan Kaminsky announced a serious flaw in DNS. Dan had been working with vendors to address it, but he refused to share the details until Black Hat USA 2008 in August. But now the cat’s out of the bag. Halvar Flake took a stab at it, then Matsano Chargen accidentally posted <a href="full details about it, then Dan cryptically acknowledged it had been disclosed.
The flaw makes it possible to perform DNS cache poisoning attacks. DNS (Domain Name System) is analogous to a phone book. Your computer sends a hostname to a DNS server and it returns a numeric IP address, in the same way that you look up a name in a phone book to find out a phone number. If a DNS cache poisoning attack is performed successfully, your computer is returned an IP address that belongs to the attacker instead of the correct IP address.
This is serious since all Internet services (web, email, IM, etc.) rely on DNS. You could think you’re logging into Bank of America, but really be logging into the attacker’s website. Same with your email. Then the attacker would have your login credentials and any other information you entered.
If you manage a DNS server, patch it ASAP.
To check if the DNS server you use is vulnerable, visit DoxPara and click “Check My DNS”. If you’re checking from your home Internet connection, this is likely your ISP’s DNS server.

About This Entry

Published on Wednesday, July 23, 2008, at 1:19 pm by Samuel Kennedy in the Information Security blog.
Categories: Information Security

Need Help?

If you need immediate assistance, please contact the Help Desk at (804) 828-2227 or submit a ticket online. You can also submit feedback through our Feedback form above or leave a comment on specific blog entries.

Don't Get Phished

Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. Learn more about phishing »

Commenting has been disabled for this entry.