New Zealand ISPs are hurriedly patching their servers to avoid attacks from phishers and domain spoofers as the global DNS emergency rolls on.
The process has been far from smooth for some, however, as a premature disclosure of the flaw is forcing providers to apply patches with little time for testing.
Vodafone was testing a patch for its DNS servers last week, spokesman Paul Brislen told Computerworld. The patch was expected to be rolled out by Wednesday night, but a test on Thursday morning showed the servers remained unpatched.
Brislen says that Vodafone’s engineers have been aware of the issue for a while, but haven’t seen any attempts to exploit it yet.
As of Thursday, Vodafone’s DNS servers appeared to have poor source-port randomness in Computerworld’s testing. Brislen says, however, that Vodafone’s firewall would protect against the flaw being exploited.
Regional ISP Inspire Net patched its DNS servers as soon as remedies were available, says founder James Watts. There have, however, been issues with the quick-fix patch causing excessive load on Inspire’s DNS servers, Watts adds.
Inspire has had to move up to a beta version of the latest DNS code to deal with the load issue, he says, adding that the provider is currently working on implementing DNSSEC security extensions to mitigate future issues.
Telecom’s head of PR for consumer and business, Nick Brown, says Telecom has been working “swiftly” with its technical partners to protect against the vulnerability.
Brown says Telecom has patched its major DNS system and is doing further testing to ensure it is effective.
While it may appear from the outside that Telecom’s DNS isn’t patched, Brown says that Telecom is confident the measures put in place mean the company is secure from the vulnerability.
Paul Vixie, president of Internet Systems Consortium (isc.org), the non-profit organisation that develops and supports the Berkeley Internet Name Domain, or BIND, the most commonly used name server on the internet, says providers should “hurry up no matter what” and patch.
“We can infect a name server in 11 seconds now, which was never true before,” Vixie says.
Vixie says phishers will no longer have to make their domains appear like, for instance, paypal.com to steal your credit card details.
Instead, he says, the phishers can pollute the recursive name server you’re using with bad data for the actual paypal.com domain and just wait for you to go there in the normal course of your daily business.
By proxying all your input and the output from paypal.com, transactions will succeed and you’re none the wiser.
Vixie agrees that one major concern with the early disclosure of the flaw is that it puts millions of internet-connected devices such as home DSL routers and mobile phones at risk. Many of these run a DNS resolver and cache that could be poisoned by hi-jackers. Patching these devices is a long and arduous task.
David Ulevitch, founder of domain name service provider OpenDNS doesn’t mince his words when talking about the flaw: “It’s the most serious flaw to hit the internet,” he says.
There hasn’t been anything similar to the current flaw for the DNS in the last ten years, he says.
Lambasting the early disclosure as “irresponsible” and “everything that’s wrong with this industry”, Ulevitch says there are remedies available and that providers should patch now. He was, however, not aware of the flaw being exploited last week.
There are several tests for the vulnerability available on internet sites such as Dan Kaminsky’s doxpara.com and the DNS Operations, Analysis and Research Centre (dns-oarc.net).
Snapshot: Is your ISP patched? (Note: these tests were conducted on Wednesday and Thursday, some of the ISPs are reporting they are now patched.)
| ISP | Vulnerable |
| Vodafone/Ihug | Yes |
| Vodafone 3G | Yes |
| Xtra | Yes |
| Telecom T3G | No |
| Inspire | No |
| Orcon | No |
| ICONZ | Yes |
| WorldXChange | No |
| Compass | No |
| Maxnet | Partially |
 | |
| (Note: some providers do not offer recursion on their DNS servers, which means Computerworld's tests do not work.) | |
Update: UK website VNU reports first attack here.