Near the middle of 2008, the world was informed of the existence of a recently discovered, previously unknown and very serious vulnerability that was present within the majority of the Internet's domain name system (DNS) servers. The vulnerability was considered critical because, if exploited, it could be used to redirect unsuspecting Internet users to malicious web sites without detection.
You and your web browser would believe you were at your banking site.
You entered the URL correctly, or used a reliable link or shortcut. Everything
would look right. But you would be logged onto a malicious foreign web site
which was ready and able to capture your private banking information.
During the initial disclosure, the public was not told anything about what the problem was, only that there was one, that it was bad, and that the entire Internet world now had just four weeks to patch and update all existing “DNS nameservers” . . . because full details of the newly discovered vulnerability would be disclosed during the forthcoming Black Hat conference by Dan Kaminsky, the security researcher who had discovered the vulnerability and the means for exploiting it.
Despite the way that sounds, Dan is not one of the “bad guys.” He's a well known, reputable and respected security researcher who had already been working—in the strictest of secrecy—for many months with every major DNS server vendor. He had been explaining and demonstrating the problem he had discovered and working with them to get their servers ready to be updated.
The news was deliberately sprung upon the unsuspecting world because Dan and the DNS vendors knew that mischievous and truly malicious bad guys alike would find this revelation far too tempting to pass up and would jump on the news immediately in an attempt to figure out how to take advantage of this juicy new and significant critical vulnerability. And indeed they did . . .
Weeks before Dan's planned Black Hat conference
disclosure, good and bad hackers had worked out
the details of Dan's discovery and were actively
exploiting the newfound vulnerability.
Dan's plan was to keep the whole problem a secret until all DNS server vendors had updated their code and were ready to deploy their new versions onto the Internet together. Only by doing that would “the window of exploitation opportunity” be kept as narrow as possible. And that's what happened . . . more or less . . . and it is the “less” that is the reason for these pages, and for our development of the comprehensive DNS test you are about to run:
There are approximately 11,900,000 DNS nameservers in
the world, on the Internet. And even today many of
them have still not been updated to prevent the
exploitation of this serious vulnerability.
The “DNS” or “Domain Name system” converts easy-to-remember, mostly alphabetic “brand name” URL domain names such as GRC.COM, AMAZON.COM, EBAY.COM, GOOGLE.COM, into their corresponding much-less-friendly Internet IP addresses. For example, GRC's domain name of WWW.GRC.COM has the corresponding IP address of [188.8.131.52]. That numerical address is what Internet applications such as web browsers, eMail, instant messaging, and everything else actually use to converse across the Internet. DNS allows us to refer to remote Internet objects by their much easier to use name rather than by their IP address number. But imagine if that dictionary lookup process, of converting names to numbers, were deliberately corrupted.
What Dan Kaminsky discovered was a reliable, quick and efficient
way for malicious hackers to deliberately change the Internet
IP addresses of any web sites to whatever they wanted.
When Dan demonstrated this to the DNS vendors, they were terrified, because they knew the Internet depended upon DNS for its operation, and this flaw represented a huge vulnerability and opportunity both for mischief and for malicious exploitation.
The attack is known as “Cache Poisoning”, and although it has been understood to be a theoretical problem for many years, it was never believed to be a serious vulnerability until Dan discovered how to do it quickly and easily.
It is definitely not necessary for you to understand the fine details of the attack in order to determine whether your DNS servers might still be vulnerable — we've made that easy and automatic for you. But if you are interested in learning more — either before or after you test your own DNS servers — Leo Laporte and I describe the entire scenario in detail during our 103-minute “Security Now!” audio podcast (#155). Since it is a standard mp3 audio file, you can freely and easily listen to any or all of it, or read the corresponding textual transcripts:
Additionally, the “How This Works” page of these DNS spoofability pages, contains additional details about the exact nature of the DNS spoofability problem.
You can also jump to our main Security Now! index web page to peruse all previous and subsequent podcasts. We produce a new one each and every week.
Performing our DNS Nameserver Spoofability test is as simple as pressing a single button (located near the bottom of this page).
However, you should be aware of a few things — such as the test's running time, the fact that your Internet router might crash, and that there are variations of the test available. So PLEASE take another few moments to read and consider the following points before you proceed to click the button near the bottom of the page:
Gibson Research Corporation is owned and operated by Steve Gibson. The contents
of this page are Copyright (c) 2014 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson