Friday, July 11, 2008

Major Internet Flaw discovered

U.S. security experts have discovered a major flaw in the design of the Internet's address system that affects virtually every corporate computer network. 

The flaw in the Domain Name System could allow hackers to steer most people using corporate networks to malicious Web sites, The Los Angeles Times reported Wednesday.

So far, hackers haven't taken advantage of the flaw, and the security experts say every major software company affected is in the process of issuing patches to fix the problem.

The man who discovered the flaw, Dan Kaminsky of the Seattle-based security firm IOActive Inc., says he hopes the patches will be broad enough that hackers won't be able to reverse-engineer them.

"We got lucky in this particular bug, because it's a design flaw," says Kaminsky. "It shows up in everyone's network, but the fix is a design fix that doesn't point directly at what we're improving."

Kaminsky says it took only a couple of hours to find the flaw but fixing it will take several months.

-Make sure you keep all Internal DNS requests internal, block them at the firewall and use a DNS proxy/"external"DNS server to make requests on their behalf.
-There is little need to use recursion within the Internal network.
-if using 2003 server from microsoft, set up all Internal DNS servers as "secondaries"
-remove the DNS Root servers from your internal/secondary DNS server so they can not send requests out the firewall/dns proxy server. replace them with your last-"external" DNS server.
-point all internal DNS servers to the "external" DNS proxy server or DNS server instead of the root name servers.
-avoid using forwarders that point to external DNS servers like your ISP's or the root DNS servers. Force the DNS clients and Internal DNS servers to make the request by forwarding directly to the DNS proxy or DNS server that is the "external" or last hop out.
-set up DHCP so that client computers use the appropriate Internal DNS server for their network/subnet.