TV version (Display Regular Site)

Skip to: Navigation | Content | Sidebar | Footer


Weblog Entry

OpenDNS

July 28, 2008

I’m wading deep into unfamiliar water here, so take my assessment with a grain of salt because I’m not sure I’m describing it totally accurately. But this strikes me as a Big Deal that needs to be disseminated as far and wide as possible, and quickly.

This weekend a relatively recent DNS flaw finally crossed my radar. Knowledge of the problem has been public for a few weeks, but the threat escalated over the past few days as proof of concept exploits have started showing up and reports of actual attacks have filtered in. This a flaw in the Domain Name System, a fundamental piece of the internet’s infrastructure, that allows an attacker to redirect your internet connection. It has been described one of the most significant internet security problems in the past decade.

For example, you might type gmail.com into your browser’s address bar, and instead of reaching Google’s servers, the attacker would be able to serve whatever he or she wishes. They may give you a harmless spam site, but it would be just as easy for the attacker to clone GMail and make it look authentic. As soon as you attempt to log in, the attacker has your username and password, and your account is, as they say, pwned. (It occurs to me they may not be able to replicate the security certificate so there might be warning signs, but given that most people will assume they’ve correctly reached the legitimate GMail those will likely be overlooked.)

It could be GMail, it could be your bank, it could be every single web site you visit. With this flaw in an unpatched state, you essentially cannot trust domain names.

The good news is that vendors of server software have already (for the most part) released patches that fix this security hole. This is a problem that service providers should be addressing, not necessarily end users like you or me.

But the bad news is that your particular DNS server may or may not have applied the patch. Go to DoxPara Research and hit the “Check My DNS” button to see if your computer is vulnerable. Mine was.

In that case, what you can do to immediately protect yourself is stop using your service provider’s DNS and switch over to OpenDNS, a free ad-run alternative that stays up to date with their patches. I’ve pointed my computers and my routers at the service, and aside from the peace of mind, I’m tempted to say DNS resolution feels a bit faster too. Your mileage may vary, as speed is very geography-specific and I happen to be near one of their datacenters.

But wait, there’s more. Further bad news for anyone using Apple products: no patch exists yet, the theory being that the recent tumultuous iPhone 3G and MobileMe product launches have been too distracting. Whatever the reason, if you use Apple operating systems, even with OpenDNS you are still vulnerable until a patch is available. OS X Servers are more likely targets for potential attacks, but even desktop computers are not totally safe.

So, um, cross your fingers?

(If I’ve missed nuances about the situation or mischaracterized anything, please feel free to add additional information in the comments.)


July 28, 11h

If your ISP hasn’t patched their DNS servers, I’d venture OpenDNS isn’t going to help any. Simply because if they are so lax that they haven’t fixed this problem, there’s likely a chronic security issue. I wouldn’t trust anything.

I’d then consider a new DNS provider.

I’m not really fond of them redirecting Google requests either… IMHO that’s a slippery slope. As a result I never switched.

July 28, 11h

Dave,

Thanks for writing about OpenDNS and the DNS vulnerability. Just a quick note – we were actually never vulnerable, not just up to date on patches.

We aren’t running your run of the mill DNS server (hence all the features we’re able to offer) and many of the security practices we follow made us immune to this specific attack.

Thanks and happy surfing,
David Ulevitch (OpenDNS)

July 28, 11h

Robert – Just a quick note regarding the Google proxy.

1) We peer with them at all sites, so there’s no latency increase.
2) We (like everything) let you turn it off in your account, and make it crystal clear.

We find that it solves a major support headache, with little negative impact. We don’t store the logs or use them for anything either, naturally. It just makes our service work dramatically better for our users, while giving them the best of both worlds – opendns and google.

July 28, 11h

OpenDNS does make a good solution for the short term though. If you don’t have an email account or website through your ISP I can’t really see much more there is to worry about other than their DNS server software

5
Brandon Moser says:
July 28, 11h

Dave, if you are using a Mac behind your home router pointed to one of OpenDNS’s servers you are “protected”. If you are using a Mac and Mac Servers as your DNS, then you have issues. Of course the workaround there is to point the Mac servers to OpenDNS. Just thought you would like to know.

prisca says:
July 28, 11h

Thanks for this post, Dave ;)

Though I have to admit I don’t quite understand it all - I will definitely look into it and be more aware.

Thanks :)

Dave S. says:
July 28, 12h

@Brandon Moser - “if you are using a Mac behind your home router pointed to one of OpenDNS’s servers you are protected”

This article suggests to me that the DNS server is one half of the equation, but even with a patched server, Macs may still be vulnerable:

http://db.tidbits.com/article/9706

The key line being “individual computers that look up DNS are vulnerable”. ie. the server is the biggest problem, but there’s also a basic client-side software component that needs addressing.

8
James says:
July 28, 13h

“Although the desktop version of Mac OS X is also technically vulnerable, current attacks are directed at servers, so there’s no need to panic.”

Your desktop machine really should NOT be serving up DNS at all, and as such, I can’t see how desktop machines could even be vulnerable. They are “technically” vulnerable because you COULD be serving DNS locally, although it would only be done by people that purposefully have set up a DNS server on their desktop machine. You have not done this, so your desktop machine isn’t vulnerable to this, except for when it’s querying a vulnerable DNS server.

Yes, your desktop machine does store a cache of domain name lookups, but those only come from your DNS server in the first place. If you do replace your DNS server with a trusted one, you should be fine.

Colin says:
July 28, 14h

So, how much coin did you receive from OpenDNS to write up this little scare piece to promote their service?

Lame.

Dave S. says:
July 28, 14h

What, are you kidding? You didn’t click through the links in the post that clearly verify the widespread discussion on multiple sites about this issue before making your baseless accusation?

I’d never heard of OpenDNS before yesterday. I haven’t received a cent of theirs or anyone else’s money to write this.

Troll.

July 28, 14h

Colin is being funded by some company called “Working on it!” But, ironically, it’s not working.

Anyway, I’ve heard about OpenDNS for a while now, but have never fully understood what it does or what the benefits are, so maybe I’ll just have to give it a shot.

Christian says:
July 28, 16h

Hi Dave,

I want to thank you for this post. I’ve been following the issue as I’m currently an info sec professional, and it was reassuring to see one of the non-info sec blogs, possibly with wider audience than all the other sec blogs I read, post about this issue.

It was also interesting to see your process followed the same that I used, I am now using OpenDNS temporarily too.

Thanks,

Christian

13
Colin says:
July 28, 20h

Fair enough, Dave S. You proved me wrong.

I’ve just heard of these things going on, and the fact that I’ve seen this same thing about OpenDNS popping up everywhere, well, kinda reinforced the possibility.

My mistake. Meant no harm.

Robert says:
July 28, 22h

Thanks for the heads up!

I wonder if OpenDNS would work for higher latency connections, too. Any experiencies?

July 28, 22h

I’ve been watching this story quietly, but we got the company wide notice to patch all necessary DNS holes at the end of last week. However, this little tool will be my true test. Thanks a lot for the link.

July 29, 03h

An attacker wouldn’t need to worry about gmail’s certificate at all. If you type gmail.com into your browser, that that starts a plain old HTTP request which doesn’t require a certificate.

Google itself may forward you onto a secure site, but an attacker doesn’t need to. They can just present you with a replica of the page. Once you type in your username and password, it’s game over.

July 29, 03h

This so called “DNS Bug” isn’t really a new thing. It was discovered back in 1990 but was kept a secret until 1995 while developing a new Domain Name System. Since the spread of the old system was so wide, it became more of an extension instead, known as DNSSEC (Domain Name System Security Extensions).

Even if the DNSSEC is more or less finished the deployment is going slow because it has to be made in the root of the top-levels (.com, .net etc)

Sweden (.se), where I’m from was the first country to deploy it and I think there are a few other countries aswell that has.

However you (every each domain-name owner) must activate it yourself on a web host that support/has it installed.

More info:

http://en.wikipedia.org/wiki/DNSSEC
http://www.dnssec.net/

rainer says:
July 29, 04h

As I read the news, it’s not the apple end-user devices that are still vulnerable but it’s the DNS providers using an apple OS to run their DNS. And I think that’s more dangerous because normally you never know what your ISP’s using.

But on the other hand, I’ve read that SSL Certificates are not in trouble. So if you read you’re browser’s warning boxes about certificates carefully you may get along without harm.

But anyway it’s a big thing and I think there are some more problems ahead - now that the Internet has reached everydays live…

July 29, 06h

@David Ulevitch: Cool to see you actually reply.

It seems if you disable this feature, you also disable “Block Categories”, one of the biggest selling points of OpenDNS. Once you disable that feature (which I admit is a great one that I miss out on)… what’s the point?

Daryl says:
July 29, 06h

I actually switched to OpenDNS a week ago after my ISP (who may or may not be named Rogers) implemented their own DNS hijacks. It’s cool to read that someone I respect and read regularly has made the same decision (albeit for a different reason).

August 08, 23h

Good to hear that OpenDNS blocks these attacks. I’ve been using OpenDNS for a while now. What got me using it was the URL auto-correction, but it has also always seemed a bit faster. I’ve never exactly liked using ISP DNS servers as they tend to jack with things and can be quite pokey at times. For a long time I was mooching off a University DNS server I’d memorized from a long time back.

22
Christopher H says:
August 10, 01h

Here a little more info:

Securityfocus.com actually published a very good series of articles in relation to this. They may be operated by Symantec, but they manage to put out some good information - including an article by the architect of the collaboration and patch (Dan Kaminsky).

http://www.doxpara.com/?p=1162
(This is Dan’s original article about the issue - from his website)

http://www.securityfocus.com/news/11526
(talks about the collaboration)

securityfocus.com/news/11529
(talks about the initial patching fallout)

securityfocus.com/brief/785
(talks abotu Apple’s DNS flaw issues)

(no, I don’t work for Symantec - I just find this site a one of many great sources of information on the security side of things)

August 13, 14h

Great - thanks for pointing this out. Done.

August 14, 04h

What was amazing about this issue was that BIND (the most popular DNS server was still vulnerable, and a lot of BIND clones like Microsoft are also vulnerable), given that this problem was pointed out by Dan Bernstein as part of his 1997 personal battle to improve internet security. He started by writing a secure email server, and then a DNS server in 1999.

The specific issue that has just been exploited was reported to bind on 29 July 2001, after they had made a half hearted attempt at a patch.

http://cr.yp.to/djbdns/forgery-cost.txt

From the CERT Advisory: “Daniel J. Bernstein is credited with the original idea and implementation of randomized source ports in the DNS resolver.”

We use his DNS software since it is much faster, easier to automate and has never had a security exploit. Not surprisingly was protected against this exploit by design. It also is guaranteed not to have security exploit. (With an explicit exclusion of the problems caused by the current protocol)

See http://cr.yp.to/djbdns/guarantee.html

There are now plenty of alternatives to using BIND, and it is amazing the number of ISP’s that still use it.

Their will be more attacks see the ICANN discussion.

http://public.icann.org/en/node/1176

Since as previously discussed DNS needs a new architecture and DNSSEC is a flawed solution.

August 22, 16h

Holy Schneikes, I read ‘net news almost daily and I had no idea. This is quite alarming! Is there anything that site owners can do (or encourage our webhosts to do)?

September 12, 22h

Earlier this year I believe I was a victim of this hack, although no one could give me a straight answer. I live in Florida and use AT&T (formerly BellSouth) DSL at home. I’m a designer and I noticed some slight differences or flaws in a couple of sites I was logging into but it was already too late and my password had been captured.

One day I did a lookup of my IP address and it did not resolve to Bellsouth. I turned my router off for a few minutes, turned it back on and then I had a different IP address that did resolve to Bellsouth. I’m not entirely sure this was the same hack but I thought it was worth mentioning.

Michael says:
October 17, 01h

One thing to be aware of if you do use OpenDNS is that users mistyping domains are sent to a helpful “OpenDNS guide portal” with adverts.

The US ISP Roadrunner ( http://www.fka200.com/2008/02/22/road-runner-now-hijacking-not-found-mistyped-websites/ ) and Verisign ( http://slashdot.org/article.pl?sid=03/09/16/0034210 ) have received flack for redirecting mistypes to pages that include adverts in the past.

28
David Robarts says:
October 28, 09h

The article looks to me as if only Mac users running the DNS server distributed by Apple (an unpatched version of BIND) are vulnerable. There is nothing that indicates that DNS client software that an ordinary Mac user would use prevents users from protecting themselves.

I first heard about OpenDNS when I heard about drive by pharming (cross site request forgery used to change configuration of routers from within the LAN). I changed my PowerBook to use OpenDNS so I didn’t have to rely on the router configuration to provide a good DNS server. I also changed my home router to use OpenDNS to take advantage of OpenDNS’s features. Unfortunately in Leopard I can’t configure my Mac to use only the manually configured DNS servers while getting other IP configuration information via DHCP. So if you use your Mac on a network you don’t control it is possible that it will use an vulnerable DNS server. Fortunately for me I rarely use my Mac on any network other than my home and the network at school both of which are safe.

The reason OpenDNS can get away with redirecting to a guide page with adverts is that users generally opt in to use OpenDNS and have the ability to choose to enable or disable any of the features (however, network administrators can choose OpenDNS and its configuration without end user choice).

29
Ran says:
November 12, 07h

The first idea is - very usefull: Open DNS should protect against phishing and typos
but slower response time of the DNS server.