

Now is the time to patch those unpatched DNS servers. Details have leaked. - tlrobinson
http://security4all.blogspot.com/2008/07/now-is-time-to-patch-those-unpatched.html

======
tlrobinson
Test your ISP / DNS server with this command:

    
    
        dig +short porttest.dns-oarc.net TXT
    

If you see "from 1 ports" it's unpatched and you should switch to OpenDNS
immediately. If it says "from 26 ports" (approximately) you're fine.

~~~
cstejerean
I'm seeing

"x.x.x.x is POOR: 26 queries in 2.1 seconds from 24 ports with std dev 135.99"

Is this good or bad?

~~~
tlrobinson
I think that's fine, as long as it's not "1 ports".

The idea is that the patches randomize the source port, which the attacker
won't know, so you'll ignore any responses that don't match. (it's still
_possible_ to guess the correct port number, but much much harder)

If you get "1 ports" for 26 queries then it's always using the same port
(bad!), but if you get somewhere around 26 ports for 26 queries then it's
using random ports (since it's random it won't always be 26 distinct ports,
which is why it sometimes shows 24 or 25)

I'm no expert but this is what I understand of it. tptacek, feel free to
explain it better (just kidding!)

------
patrickg-zill
Most Linux distributions, and Blastwave.org packages for Solaris, have already
been updated, so "yum update", "apt-get update; apt-get upgrade" or the
equivalent for your system followed by restarting the DNS server should fix
it.

------
bootload
_"... So what happened? Matasano had an article ready with some more details
on the DNS vulnerability for after Blackhat and posted it in error. They
removed it as soon as they noticed it. ..."_

Hey tptacek ~ <http://news.ycombinator.com/user?id=tptacek> hangs around HN
whats the beef Thomas?

~~~
tptacek
Today is not an awesome day.

~~~
andreyf
Don't sweat it too much... we all make mistakes. What matters isn't if you
make them or not, but how you respond when you do - and so far, you seem to
have done great :)

------
cperciva
This is why coordinated advisories are generally kept to as small a group as
possible. It's one thing to trust that people won't leak things deliberately
-- it's quite another to trust that mistakes won't happen.

With all due respect, this isn't Thomas's fault -- it's Dan's fault for
telling more people what was going on than was absolutely necessary.

~~~
tptacek
Thank you, Colin, but this is entirely my fault. People need to be able to
tell us things and trust that they won't hit Slashdot. We made a terrible
error in judgement, and we deserve the hits.

~~~
cperciva
_People need to be able to tell us things_

Why? I'm sure that telling you all the details was the easiest way for Dan to
convince you that this issue was real -- but there are other approaches he
could have taken... starting with "look, ISC and $LONGLISTOFVENDORS have
issued security advisories, and they're not idiots".

It seems to me that what happened is that Dan's ego was stung by having you
publicly mock his work, and he didn't stop to think about how the situation
could best be handled. And really, that sort of thin skin is unforgivable in
this business.

~~~
tptacek
I wrote something here but for once I think I'm just going to shut up about
something.

------
csmajorfive
Nevermind -- I understand the severity of it now. Seems like a novel angle to
an old problem .. collidable QID's used to verify sender.

------
mleonhard
Is there anybody who couldn't guess the vulnerability from the first
announcement and the test webpage?

------
ajkirwin
Why is it so very bad that this leaked?

~~~
corentin
It's as bad as a dramatic event happening in a cheap soap opera; which, for
that matters, perfectly describes what this so-called computer security
industry actually is.

Some of those guys are very brilliant engineers indeed, but at some point they
should realize that there are a lot of brilliant engineers building bridges,
cars and stuff as well, and they usually have much less inflated egos.

