Patch DNS Servers Faster

51mon writes "Austrian CERT used data from one of their authoritative DNS server to measure the rate at which the latest DNS patch (source port randomization) is being rolled out to larger recursive name servers. While about half the traffic (PDF) they receive is now using source port randomization, their data suggest that this is due to ISPs who roll out such fixes immediately. The rate of patching has fallen to disappointingly low levels since. If your ISP isn't patched, perhaps it is time to switch." After details of the DNS vulnerability leaked, researchers |)ruid and HD Moore released attack code; ZDNet's security blog has an analysis.

Switch DNS Servers, NOT ISPs

[masdog]

You don't need to switch to a new ISP if they haven't patched yet - just switch to a new DNS server such as OpenDNS.

Am I safe?

[Anonymous Coward]

How can I know if my ISP has patched its DNS servers?

Monopoly

[Anonymous Coward]

If your ISP isn't patched, perhaps it is time to switch.

My ISP has a monopoly over internet services in my area you insensitive clod.

time to switch?

[Dunbal]

If your ISP isn't patched, perhaps it is time to switch.

      Thanks to the "free market economy" in my capitalist country I can't switch, you insensitive clod!

ISP DNS

[spottedkangaroo]

Who uses their ISPs DNS servers? Most people probably. Well, I don't trust them. My friends and I run a recursing nameserver that we access over a VPN link.

ISPs just aren't trustworthy.

Rediculious requirements

[Coolhand2120]

Maybe if the patch didn't require that open up all incoming and outgoing UDP ports [securitytracker.com] on the DNS interface I could implement it faster. Seeing how most people use firewalls it makes it really quite a bit more difficult than just "apply the patch".

NOTE WELL: This update causes BIND to choose a new, random UDP port for each new query; this may cause problems for some network configurations, particularly if firewall(s) block incoming UDP packets on particular ports.

I'll get this patch applied as soon as I reconfigure my entire network topology.

OpenDNS is not the best answer

[rfunk]

OpenDNS returns their own search page for bad lookups, rather than NXDOMAIN, breaking various things. They also send queries for www.google.com to their own server. (I wrote about this recently.) [livejournal.com]

Re:Am I safe?

[Anonymous Coward]

Thanks!!!! My DNS is safe. I know this to be true cause I used your dns checker....

Re:Switch DNS Servers, NOT ISPs

[Ciarang]

It's completely different, otherwise they wouldn't be my ISP.