Monday, July 21, 2008

If you can't update DNS without breaking your network~

I was going to skip commenting on the whole DNS thing, everyone knows about it and many folks have covered it.

But, there seem to be quite a few admins who don't want to patch a vulnerability without all of the gory details. While I respect that skepticism, I think they are wrong this time. A couple of reasons:

  • It is DNS and it is Dan Kaminsky.
    • DNS and Dan Kaminsky is a redundant statement
  • Gazillions (OK, dozens) of vendors cooperated for the first time in Internet history to
    • work together for months
    • keep quiet until the appointed date
    • synchronize patch release for the same date
  • The folks who have seen the details say patch now

Some admins have even said they don't want to "break their network" for an unknown vulnerability. News flash- if updating DNS "breaks your network" your network is already broken. This also ignores the fact that there are relatively simple mitigation techniques available, from pointing your vulnerable systems to safe, external DNS servers such as OpenDNS to building and deploying updated servers internally between vulnerable systems and the Internet.

Go ahead, patch. I'll wait here.

[Yes, I know- from the time I started writing this earlier today until the time I hit "post", the details leaked. Those who paid attention to this issue have already patched, those who didn't are (or should be) scrambling.]