DNS Woes: How Worried Should You Be? Pretty Dang Worried!

Yesterday's news that the first DNS attack strategies are circulating was no surprise: once a vulnerability -- large, small or in-between -- is discovered, the exploit code follows like rats nipping at the heels of the Pied Piper. The question is, how worried should you be about this particular vulnerability? Pretty worried, is my take.

Keith Ferrell, Contributor

July 25, 2008

2 Min Read
Dark Reading logo in a gray background | Dark Reading

Yesterday's news that the first DNS attack strategies are circulating was no surprise: once a vulnerability -- large, small or in-between -- is discovered, the exploit code follows like rats nipping at the heels of the Pied Piper. The question is, how worried should you be about this particular vulnerability? Pretty worried, is my take.Dan Kaminsky, who revealed the flaw in the Domain Name System (DNS)that accurately routes traffic on the Internet, took a deep breath and posted a long, thoughtful and essentially jargon-free guide to DNS operations and the DNS flaw.

Kaminsky notes that he wrote the entry, at least in part, as a document to be shared with management, the sort of thing to pass along to those whom you want (or wish) to know more about what it is you're up against in keeping systems safe and effective and functional.

As Kaminsky points out, as everybody has been pointing out (bMighty included), the industry's patch response to the problem has put the tools out there to begin dealing with the potential attacks, if not, alas, to thoroughly address the fundamental weaknesses in the naming system.

The problem, and the reason I'm arguing that the DNS situation is a cause for real and ongoing worry, is that we've seen again and again that a large percentage of businesses and a far larger percentage of users take a laissez faire (at best!) approach to patch management, even for well-known and already under-attack vulnerabilities.

Never was any excuse for such laxness and there is a lot less excuse now. If you're running DNS servers, patch them; make sure that your Windows machines have the Windows DNS patch installed.

And once you've done that -- and run a DNS test; there's a DNS tester on Kaminsky's page -- keep worrying.

Because you don't have any guarantee that the DNS server next door or down the block or halfway around the world has patched its holes. You can, in fact, be pretty confident (if that's the word) that plenty of them haven't.

Check out, for instance, this story about the slow ISP response to patching the DNS flaw.

And if some of the biggest businesses are dragging their patch management feet, think about how things are going at smaller, underfunded and overworked companies.

DNS flaws and available but uninstalled patches: What, me worry?

You bet.

Read more about:

2008

About the Author

Keith Ferrell

Keith Ferrell

Contributor

See more from Keith Ferrell
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe

You May Also Like

More Insights
Webinars
More Webinars
Events
More Events

Editor's Choice

Pegasus Spyware concept with binary code background
Endpoint Security
WhatsApp: NSO Group Operates Pegasus Spyware for CustomersWhatsApp: NSO Group Operates Pegasus Spyware for Customers
byJai Vijayan, Contributing Writer
Nov 18, 2024
4 Min Read
Laptop with Palo Alto networks logo
Cyberattacks & Data Breaches
Palo Alto Networks Patches Critical Zero-Day Firewall BugPalo Alto Networks Patches Critical Zero-Day Firewall Bug
byBecky Bracken, Senior Editor, Dark Reading
Nov 18, 2024
3 Min Read
ChatGPT, typed out on a screen
Сloud Security
ChatGPT Exposes Its Instructions, Knowledge & OS FilesChatGPT Exposes Its Instructions, Knowledge & OS Files
byNate Nelson, Contributing Writer
Nov 15, 2024
4 Min Read
Reports
More Reports
Webinars
More Webinars
White Papers
More Whitepapers
Events
More Events