In case you have been living under a rock for the past month you have most likely heard about the DNS cache exploit recently discovered by Dan Kaminsky.  This might be one of the most severe flaws discovered as it was cross platform affecting everything from Windows to Linux, UNIX, Cisco IOS etc....  It was so big in fact that all the major vendors worked together to get the patch issued on the same day.  The flaw would allow an attacker to insert a malicious DNS record into the cache.  As an end user you type in www.technet.com and rather than get the proper IP address the cache delivers the malicious IP address sending you to ????  You can find out more on the details of the flaw at Dan's blog.

You should also make sure that you are patched.  Make sure that your upstream ISP DNS servers are patched by calling them or using Dan's DNS Checker at the top of his website.

So why all of a sudden a rush to ensure you are patched?  Well the patches issued by the vendors have been reverse engineered and exploit code has been published!  Dan has said many times that this is an extremely easy to launch exploit that could be implemented in seconds.

MS08-037 - Vulnerabilities in DNS Could Allow Spoofing (953230)

KB953230 - Vulnerabilities in DNS could allow spoofing

Go. Read. Patch. Now.

And when you are done, copy and paste this blog post to your blog, email it to your IT Pro buddies, get the word out!

If you have links to the patches from other vendors, please leave a comment with the URL!

Well this one is really simple.

On your windows 2003 server go to DNS right click the server go to your forwarders and add the opendns dns servers.
Also go to your root hints tab and remove those. (did you ever check if the default root hints are still valid nah I know, if you use em you should also update them)

Now for all your outgoing lookups the windows server queries the opendns servers.

Why is this safe?

Block the bad sites and whitelist the good.

Phishing Protection

We operate PhishTank.com, the world's most trusted source of phishing data. We integrate that data into an intelligence feed on our DNS servers to keep everyone on your network safe from phony sites trying to steal personal information.

Domain Blocking

You want to secure your network and have control over what resolves. We give you that control by providing the tools to block any website or DNS zone on the Internet, all through an easy-to-use interface.

Adult Site Blocking

Safeguard your kids, protect your students, or limit your corporate liability by blocking adult websites. Our adult site blocking solution can be deployed in minutes and provides granular levels of blocking. Hundreds of school districts are already using OpenDNS to achieve CIPA compliance. Did we mention it's completely free?

Web Proxy Blocking

Prevent people on your network from bypassing the access restrictions you put in place. Blocking Web proxies helps ensure your network remains secure.

Domain Whitelisting

We provide a (growing) list of Web content filtering categories to block, but sometimes there is a domain you want to make sure is never blocked, even if it's listed in a feed. Have the final say with our Domain Whitelisting feature.

Internet Explorer and Firefox are in a constant race for both the lion’s share of the browser market and for the top dog position when it comes down to which of the two products is more locked down from a security perspective. In terms of audience Internet Explorer has little contest from Firefox, although the open source browser has increased substantially its foothold on the market growing its share to approximately 15% at the end of October 2007, according to data from Net Applications. In contrast, IE accounts for the largest install base with 78%.

Security is a different matter altogether and a tad more difficult to measure up. The fact of
the matter is that the end goal of delivering top user protection is a combination of code quality and lack of vulnerabilities in the default design, along with an absent threat environment. (more…)

audience internet, browser market, code security, DNS, dns configuration, Firefox, ie, Internet, internet explorer, mac os x, mac versions, trojan, video fragment, Web, Windows, windows machine, youtube

1&1, popular website hosting service and domain name registrar, have a very serious problem with their nameserver configuration web interface.

We’re hosting our own domains with 1and1 (pointing to our dedicated servers hosted with the excellent and much-recommended Lunarpages), and were attempting to reconfigure our nameservers to point to a different IP address. We went into the 1&1 admin interface and attempted to re-configure the neosmart.net nameservers to point to the new IP - a week later, the DNS hadn’t yet propogated and we couldn’t find a good explanation.

This was how we had originally set up our nameserver entries in the 1and1 web administration center: