Massive Internet Security Upgrade

Robert Gauld

I was all set to post one of a few 'ready to go' blog posts today when I ventured upon this story - Firms Tackle Security Flaw In Web Addressing System.

So apparently there's some big bug (sorry security vulnerabillity) in DNS. So much so that the details are being kept secret by the like of Microsoft for 30 days to allow people time to update their machines. Apparently this is the biggest simultaneous update of the internet.

Obviously for the next 30 days all I can do is guess what the problem is, but what could it be?

Well the article talks of the "ability to take over portions of the internet", so does that meen that assuming the servers responsible for looking up .com address are vulnerable then you can't be sure that something.com goes to the right place. I don;t think so - that would hardly be such a big thing, only a very few number of DNS servers would need updated (small compared to the number of DNS servers on the web).

I think by "ability to take over portions of the internet" what they are actually going on about is that some weakness in an ISP's DNS servers would allow those servers to become untrusted. So say that isp.net was to get attacked then all their customers could not trust that they are seeing the correct site. Is this guess right? Well only time will tell.

Before finishing for the post you might want to check out treewalk, which is a DNS server which runs on your local machine. The advantage is that it is setup to go to the root servers on the web for each address it has not cached. A firewall (like the built in windows one) will stop anything getting into it. I can only speculate that this would be a safeguard.

Update (16/7/08)

Check if the dns servers you're using are safe here.

Update (1/8/08)

After listning to Security Now for this week I've got another test link for you - entropy.dns-oarc.net/test.