As defined on Wikipedia:
* Jargon: Flag day is also a term used in discussing computer systems to denote a change which will require a complete restart or conversion of a sizable body of software or data. This usage of the term originates from an obscure such change in the Multics operating system’s definition, which was scheduled for the US’s Flag Day, June 14th, 1966.
* One such day is January 1 1983, the day when the ARPANET changed from NCP to the TCP/IP protocol suite.
A flaw has apparently been found in the DNS system that most of the Internet uses. (Secure DNS doesn’t have this problem, but it’s used by very few people.) It’s not just a problem with a particular implementation of DNS. It’s a problem that every single implementation apparently suffers from. It’s very very scary and just about every vendor has pushed out a fix ahead of the release of the details of the problem. I’ve spent some of today updating every single machine that I have have access to. You should do the same.
In addition it sounds like anyone with DNS behind NAT might be also in a very bad place. I have this little crappy verizon router that proxies my DNS (including redirecting me to an ad-based site whenever I mis-type a DNS address) – I wonder if it’s going to have the same problem? Is it something that Verizon can fix? I know that it won’t hand out DHCP Nameserver addresses for anything other than itself, so anything that trusts that data will be equally vulnerable. Scary thought, eh? How many people at home are going to be vulnerable?
This also helps to prove the point that software is no longer static. It can’t be. You can’t just deploy and forget about it. Software without service isn’t worth anything because we’re all connected and we’re all going to be vulnerable at some point.
Here’s a transcript of the video listed below. It’s worth reading.
In case you are doing something valuable, you should be using technologies like SSL anyways. In this era of availability of proper CA signed certificates you are safe from DNS attacks.
You will instantly notice if someone gets between you and your services as the browser warns you instantly about broken certificates. In case the attacker also is able to steal someone’s private keys, a little DNS haxxoring is least of your problems in any case…
And to think of it, many people have whined when Mozilla folks decided to make it less convenient to add exceptions about broken (most usually amateur self signed, but…) certificates. Sigh.
Djbdns and PowerDNS don’t suffer from this flaw, since they do proper source port randomization. It’s, frankly, hilarious that Dan Bernstein has managed to write not only qmail but djbdns as well, and no one has yet to claim the $500 reward for exploits of either.
djb definitely had his day with this one. :)
Router vendor’s should provide firmware updates to fix the DNS issue. I use Tomato firmware, and it released an update:
http://www.polarcloud.com/tomato
That being said, I personally wouldn’t worry about it too much. ;)
Pingback: Geek Alert: Dan Kaminsky on the DNS Bug of 2008 by OreillyMedia @ YouTube - mmb
It’s not a flag day since unpatched machines can still communicate with patched ones.
Pingback: ${me:-whatever} » The Ultimate DNS Bug?