We've been hearing four primary questions from customers about the recently disclosed DNS cache poisoning vulnerability; How do I tell if I'm vulnerable, what do I do to mitigate it, how do I tell if I've been attacked, and what do I do if I've been attacked. We put this blog post together in an attempt to address those questions directly.I've found that the blog entry by ISS has some very good take away points, such as concerns over how DNS servers that have been patched, but sit behind NAT devices may still be vulnerable.
Furthermore, if you have a server behind a NAT device, some NAT devices will undo the UDP port randomness introduced by the patch. Fortunately, Linux iptables and OpenBSD's pf are not vulnerable, but many popular NAT devices are. If you have such a device you can either move your DNS server to a DMZ segment where it need not be NATed, or you can forward requests from that DNS server to a patched server that is not behind the NAT. If you forward make sure that you disable recursion.If you believe you have been attacked, and despite reading this article aren't quite sure what to do, ISS has a service to help with this:
IBM ISS has an emergency response team standing by 24 hours a day, 7 days a week, 365 days a year. If you have been the target of an attack, you can call us at the number listed on this web page any time of day, and we can provide immediate assistance to stop attacks and help you get your network back in running order. It is our opinion that if you have been the victim of a breach you should seek the assistance of a professional response team, whether ours or someone else's.Another thing, I'd like to reiterate a post by Danch Danchev, which discusses the fact that OpenDNS, PowerDNS, and MaraDNS remain unaffected by the flaw, so moving to one of these also becomes an option. -Nate