Paul Vixie: 100,000 DSL Modems May Lose Their DNS On July 9

Dante_J writes "Up to 100,000 DSL modems may lose access to DNS come July the 9th, due to scripted web interface changes made to them by DNSChanger. This and other disturbing details were raised by respected Internet elder Paul Vixie during a presentation at the AusCERT 2012 conference."

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Why not warn them?

[jeffmeden]

Because they would probably do what they do any other time something complicated appears on the screen: click OK and get back to searching for pr0n.

Re:8.8.8.8

[philip.paradis]

Any DNS provider you use can do the same thing. If you don't like this, feel free to operate your own resolvers.

Re:Why bother warning them?

[n5vb]

There are some people who will call tech support whether they get a warning or not. Usually the wrong support, and usually to unload a half hour of angry rants that do absolutely nothing to fix the problem. If there's any reading involved beyond about the 2nd-3rd grade level, they'll ignore warning dialogs and just call and complain. This is a constant in the tech support universe.

(And I still have to laugh when people tell me their internet isn't working but they can send and receive email..)

Re:Scripted changes

[DeadboltX]

From FBI PDF http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf [fbi.gov]

What Does DNSChanger Do to My Computer?
DNSChanger malware causes a computer to use rogue DNS servers in one of two ways. First, it changes the computer’s DNS server settings to replace the ISP’s good DNS servers with rogue DNS servers operated by the criminal. Second, it attempts to access devices on the victim’s small office/home office (SOHO) network that run a dynamic host configuration protocol (DHCP) server (eg. a router or home gateway). The malware attempts to access these devices using common default usernames and passwords and, if successful, changes the DNS servers these devices use from the ISP’s good DNS servers to rogue DNS servers operated by the criminals. This is a change that may impact all computers on the SOHO network, even if those computers are not infected with the malware.

Re:8.8.8.8

[Baloroth]

No they don't. See their FAQ [google.com].

Re:8.8.8.8

[PReDiToR]

If this bothers you, or anyone else, try to use https and secure connections wherever possible.
This means that without some directed effort on the part of your ISP (MITM/brute force) all your ISP knows is which site you visit, not the contents of your conversation with the servers.

HTTPS-Everywhere [eff.org] helps.