Microsoft recently released a patch to correct security problems in its DNS server software. But those who use other DNS server software might still be at risk if they haven't updated their software very recently.
The overall security problem apparently affects a wide range of software platforms as well as a long list of appliances that include DNS services as part of their platform. The most widely used DNS software, ISC BIND, is also vulnerable which puts untold numbers of servers at risk until they've been updated.
The basic problem relates to DNS cache poisoning, therefore most DNS servers that handle queries and cache responses are vulnerable. In short, because DNS servers typically use a small range of port numbers to handle queries and subsequent response, predictability is increased and thus the chances are also increased for successful DNS cache poisoning.
Affected platforms include Microsoft Windows, most every Linux and BSD-based platform, Apple OS X, Cisco hardware, and software and hardware from many other major manufacturers including 3Com, Check Point, IBM, Sun, Intel, NetGear, Nortel, RedHat, NEC, Lucent, Juniper, and many more.
Dan Kaminsky, who discovered this particular DNS vulnerability and helped coordinate the develop of software updates, said "I'm pretty proud of what we accomplished here. We got Windows \[fixed\]. We got Cisco IOS \[fixed\]. We got Nominum \[fixed\]. We got BIND 9 \[fixed\], and when we couldn't get BIND 8, we got Yahoo, the biggest BIND 8 deployment we knew of, to publicly commit to abandoning it entirely."
Administrators are advised to ensure they've got the latest software and firmware updates installed on their networks. Those who need to manually install new versions of BIND software can obtain that from the ISC Web site.
