DNS Cache Poisoning Vulnerability 8/24/08

This has been in the news recently as a potentially big-time vulnerability, and exploits have been reported.  If your internet service provider has not patched their DNS server, you could type into your browser www.bankofamerica.com and end up going to a spoofed site that looks like BofA and having your username/password stolen.

Click on this link http://entropy.dns-oarc.net/test to test if your ISP's DNS servers are patched.  Both tests (source port randomness and transaction ID randomness) should say "Great".  AT&T and Comcast appear to be okay, but test them anyway, as the test takes only 5 seconds.  If the servers are not patched:

1. Complain to your ISP.
2. Change your DNS settings to 208.67.222.222 and 208.67.220.220.  These are the settings for OpenDNS, which will very likely be quicker-on-the-draw than most ISP's.
3. Come to the Internet SIG for additional information.

Two podcasts from Leo Laporte and Steve Gibson on this subject (for the technically inclined) are #155 and #157:
www.grc.com/securitynow