The DNS vulnerability, which has completely dominated the news in the security world the last two weeks, has been a concern for so many. On the front of good news and getting things protected, the IBM ISS has team has published some great information. The Frequency X Blog, run by IBM ISS, had an interesting article that I think is likely useful to many of us out there. I've personally heard a few questions from my clients, some from other associates at Ernst & Young, asking about other options for mitigation, if this is being attacked in the wild, etc. Apparently IBM ISS has heard similar things. From their Frequency X Blog:
We've been hearing four primary questions from customers about the recently disclosed DNS cache poisoning vulnerability; How do I tell if I'm vulnerable, what do I do to mitigate it, how do I tell if I've been attacked, and what do I do if I've been attacked. We put this blog post together in an attempt to address those questions directly.I've found that the blog entry by ISS has some very good take away points, such as concerns over how DNS servers that have been patched, but sit behind NAT devices may still be vulnerable.
Furthermore, if you have a server behind a NAT device, some NAT devices will undo the UDP port randomness introduced by the patch. Fortunately, Linux iptables and OpenBSD's pf are not vulnerable, but many popular NAT devices are. If you have such a device you can either move your DNS server to a DMZ segment where it need not be NATed, or you can forward requests from that DNS server to a patched server that is not behind the NAT. If you forward make sure that you disable recursion.If you believe you have been attacked, and despite reading this article aren't quite sure what to do, ISS has a service to help with this:
IBM ISS has an emergency response team standing by 24 hours a day, 7 days a week, 365 days a year. If you have been the target of an attack, you can call us at the number listed on this web page any time of day, and we can provide immediate assistance to stop attacks and help you get your network back in running order. It is our opinion that if you have been the victim of a breach you should seek the assistance of a professional response team, whether ours or someone else's.Another thing, I'd like to reiterate a post by Danch Danchev, which discusses the fact that OpenDNS, PowerDNS, and MaraDNS remain unaffected by the flaw, so moving to one of these also becomes an option. -Nate