According to THIS article (http://news.netcraft.com/archives/2005/03/07/dns_poisoning_scam_raises_wariness_of_pharming.html) and others like it, DNS poisoning (a.k.a. pharming) is becoming rather more of a threat nowadays.

For example, I might want to do some online banking, so I browse to (hypothetical url] mybank.com. Unbeknownst to me, the DNS that provides the IP for mybank.com is poisoned, so it sends me to a web page that looks like mybank's but instead is a black hat's site. Thus, when I enter my private information, I am giving it to a black hat -- NOT my bank.

As to preventing such a nasty event, one method I have read about was to use my HOSTS file. That is, I add a HOSTS file entry for mybank.com that links mybank to their true IP. That way, when I seek to access mybank.com, HOSTS will do the dns job, and there will be no possibility of DNS poisoning.

I know of just one possible disadvantage -- namely, IPs sometimes get changed. Other than that, use of HOSTS seems like it might be a good way to avoid DNS poisoning for key/private transactions.

I request comments as to...

1- Your views on the "HOSTS solution to DNS poisoning"
AND/OR
2- Other equally good (or better) solutions.

Since the current vulnerability is widespread, it's probably best to address the DNS issue itself
and insure that your ISP's DNS Servers have been patched.

You can check here:

https://www.dns-oarc.net/oarc/services/dnsentropy

Until they are patched, an alternative solution is to use the OpenDNS servers.

References

DNS bug - observations
http://isc.sans.org/diary.html?storyid=4780

World's biggest ISPs drag feet on critical DNS patch
http://www.theregister.co.uk/2008/07/25/isps_slow_to_patch/

OpenDNS
http://www.opendns.com/how/dns/turning-names-into-numbers
{QUOTE-> 208.67.222.222
208.67.220.220 <-QUOTE}

I'm in a similar boat. :) I keep thinking that the best overall answer is getting behind a good set of DNS servers that's patched against the exploit that MS recently patched. Many websites use virtual hosting which translates to one IP address hosting several sites. IMO, a HOSTS file won't handle that very well (if at all.)

Also, it seems that most security certificates are based on domain names, not IP addresses. So, if you go to a site based on it's IP address (in order to avoid the DNS problem), your PC can't make the proper handshake for security. Which to me seems very counterproductive...

Rmus, you referenced sans.org and a couple of white papers The Achilles Heal of DNS (http://www.sans.org/reading_room/whitepapers/dns/565.php) and Security Issues with DNS (http://www.sans.org/reading_room/whitepapers/dns/1069.php) offer a good background on a problem that was talked about 5 years ago, referencing data from as far back as 1995!

I ran the test on my ISP's DNS Resolver and it appears to have POOR source port randomness [only one unique port] and GREAT transaction ID randomness [Range: 149 - 63668]. I'm glad you gave us that link because I'm going to address that issue with my ISP. Thank you for that and for OpenDNS!

I agree that alternative DNS servers would provide the greater protection. HOST files change far too often and are still subject to attack themselves. One thing I would advise if you are so inclined, is to set up the optional free account that comes with OpenDNS so that you have access to the Dashboard. This allows you to set blocks for certain types of attacks and types of websites like known phishing sites and malware-infested ones, among other types. Just a suggestion though, I myself just pointed my system to their servers without making an account since I don't want any blocked websites and have protection (web-scanning AV and such) against malware/phishing.

@Rmus- Grrrreat links! I've used OpenDNS for quite a long while. It tests "Great" with the link you provided.

@All- Thanks to all. I am learning a lot from this thread.

{QUOTE-> Many websites use virtual hosting which translates to one IP address hosting several sites. IMO, a HOSTS file won't handle that very well (if at all.)

Also, it seems that most security certificates are based on domain names, not IP addresses. So, if you go to a site based on it's IP address (in order to avoid the DNS problem), your PC can't make the proper handshake for security. Which to me seems very counterproductive... <-QUOTE}
Not quite. What you mentioned is true when entering a site's IP address directly in to the web browser, but not when using a HOSTS file entry.

The only main difference is where the domain name's IP address is resolved from. If there's a HOSTS entry for the domain, the IP is resolved locally from the hosts file rather than remotely via DNS servers (which may potentially be poisoned). Other than that, everything will be operational as long as the HOSTS entry is correct.

{QUOTE-> I'm in a similar boat. :) I keep thinking that the best overall answer is getting behind a good set of DNS servers that's patched against the exploit that MS recently patched. Many websites use virtual hosting which translates to one IP address hosting several sites. IMO, a HOSTS file won't handle that very well (if at all.)

Also, it seems that most security certificates are based on domain names, not IP addresses. So, if you go to a site based on it's IP address (in order to avoid the DNS problem), your PC can't make the proper handshake for security. Which to me seems very counterproductive... <-QUOTE}

Hello,
Actually, you cannot use name-based virtualhosts for security, because the authentication takes places before name translation ... so in this case ip would work - and I won't repeat my mantra about hosts file.
Mrk

{QUOTE-> Actually, you cannot use name-based virtualhosts for security, because the authentication takes places before name translation ... so in this case ip would work <-QUOTE}
I want to make sure I understand this correctly... :) A security certificate cannot be assigned to a virtual hosted site? It's required for the certifcate to be tied to a specific IP address?

Hello,
Yes it can, but IP based.
IP's can be virtual though :) virtual devices like eth0:0 eth0:1 etc, a neat trick.
Mrk

{QUOTE-> IP's can be virtual though :) virtual devices like eth0:0 eth0:1 etc, a neat trick.Mrk <-QUOTE}eth0:0 eth0:1 etc?? Aren't those unique to linux?

Hello,
Don't know about Windows, but if you run a web server and you want virtual network adapters, the chances are you'll run Apache on a *nix platform.
Mrk

{QUOTE-> Hello,
Don't know about Windows, but if you run a web server and you want virtual network adapters, the chances are you'll run Apache on a *nix platform.
Mrk <-QUOTE}"I see," said the blind man. :blink: 10Q Mrk-san

Acknowledged, bellgamin-hoahanau :)
Mrk

Another good site for checking whether your DNS server is secure is located in the top of the right-side column at the website of Dan Kaminsky (http://www.doxpara.com/), one of the discoverers of the DNS poisoning flaw. Dan's blog at that same link gives a LOT of good background info & suggestions.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Here is a comparison between using a shortcut to (e.g.) mybank.com versus using HOSTS (which I quote from another forum)...

{QUOTE-> If you create a shortcut or a bookmark using the IP address "1.2.3.4", then
Your browser connects to 1.2.3.4
Your browser tells the server "I am fetching web pages for 1.2.3.4"
Your browser checks that any security certificate has 1.2.3.4 as the server name

If, instead, you use the hostname "mybank.com" in your shortcut or bookmark:
Your browser looks up that name, and then connects to 1.2.3.4
Your browser tells the server "I am fetching web pages for mybank.com"
Your browser checks any security certificate to see that it has mybank.com as the server name.

Where your browser connects is the same. How your browser behaves on that connection is different. <-QUOTE}

To check a site's certificate when using Firefox browser>>> Right-click on a blank section of the web page then click "Page Info" -- that will give security info about the page you are viewing. See screenies below.

Can anyone advise me in what I can do when I receive these messages whilst checking DNS server vulnerabilities:

This one:

Your name server, at 194.109.xxx.xxxxx, appears to be safe, but
make sure the ports listed below aren't following an obvious
pattern (:1001, :1002, :1003, or :30000, :30020,
:30100...).Requests seen for a3d7e4e1a9fc.toorrr.com:
194.109.21.251:57926 TXID=20325
194.109.21.251:61320 TXID=48354
194.109.21.251:52602 TXID=45692
194.109.21.251:55552 TXID=34849
194.109.21.147:4177 TXID=59681

Or this one?:

Your name server at 194.x.x.x, may be safe, but the
NAT/Firewall in front of it appears to be interfering with
its port selection policy. The difference between largest
port and smallest port was only 24.

{QUOTE-> Can anyone advise me in what I can do when I receive these messages whilst checking DNS server vulnerabilities: <-QUOTE}I recommend that you start a new topic under the Other Firewalls (http://www.wilderssecurity.com/forumdisplay.php?f=31) category, and ask your questions there. That topical category is most often visited by folks with the know-how to answer your questions.

For clarity, I suggest you include the link to the site (http://www.doxpara.com/) with the DNS checker.

{QUOTE-> I recommend that you start a new topic under the Other Firewalls (http://www.wilderssecurity.com/forumdisplay.php?f=31) category, and ask your questions there. That topical category is most often visited by folks with the know-how to answer your questions.

For clarity, I suggest you include the link to the site (http://www.doxpara.com/) with the DNS checker. <-QUOTE}

Thanks Bellgamin. I started a new topic in the Other Firewalls category.

Well, let it be known, that my ISP, Time Warner, couldn't care less about DNS poisoning. They haven't replied to my emails for 5 days. So reach up and pull those seatbelts tight because August 7th is just around the corner!

Hello,
What's so special about august 7th?
Mrk

Mrkvonic, that's when security researcher Dan Kaminsky will provide a detailed discussion of the DNS flaw at the Black Hat conference in Las Vegas.

Researcher's hypothesis may expose uber-secret DNS flaw (http://www.theregister.co.uk/2008/07/21/dns_flaw_speculation/)

Upon further review... perhaps the reason why ISPs, mine included, are not rushing into fixing the DNS issue?

DNS patches cause problems, developers admit (http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9111001)

And it gets better by the minute: Hackers start DNS attacks, researcher says (http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9111098)!

@OP Bellgamin
I rememberered somewhere where BOC had done interesting things re my host file when I had it configed a certain way

KMcA made this post at the time which has his "flavour" present

Thought you might be interested in his view, not sure how it pans out with respect to the recent DNS issues ??
http://www.wilderssecurity.com/showthread.php?t=108368

Also goes to a core issue with configuration of BOC
http://www.wilderssecurity.com/showthread.php?t=216375

Rmus was correct in his advice to use the OpenDNS service as a stopgap measure, even the Media is touting it now:

Protect yourself against poison DNS attacks in 30 seconds (http://blogs.computerworld.com/protect_yourself_against_poison_dns_attacks_in_30_seconds)

{QUOTE-> Mrkvonic, that's [Aug 7] when security researcher Dan Kaminsky will provide a detailed discussion of the DNS flaw at the Black Hat conference in Las Vegas. <-QUOTE}Someone spoiled his moments of fame.

See LoneWolf's thread, Hackers start DNS attacks:
http://www.wilderssecurity.com/showthread.php?t=216498

Other threads:

With DNS Flaw Now Public, Attack Code Imminent
http://www.dslreports.com/forum/r20833863-With-DNS-Flaw-Now-Public-Attack-Code-Imminent

Exploit Code for Kaminsky DNS Bug Goes Wild
http://www.dslreports.com/forum/r20843454-Exploit-Code-for-Kaminsky-DNS-Bug-Goes-Wild

DNS Disaster First Attacks Reported
http://www.dslreports.com/forum/r20872206-DNS-Disaster-First-Attacks-Reported


---

Rmus, once the leak came out, the game was over and the only thing to wonder is: will Dan Kaminsky, on August 7th, bring something new to the DNS Poisoning table that it's not taking place today?

I truly don't understand why peeps use the internet to pass credit card info or banking data across a line that's continually proven unsafe for a long time, unless you enjoy contributing free money to unknown recipients just waiting for your gift.

Thats why they invented the telephone and ATM's as well as the postal service, of course branches have their open hours too to do business one on one. If a business doesn't have a phone and i make a transaction without a reference number, it don't fly with me.

@Longboard -- I'm not a fan of BOC (BOClean) which is "untestable" (purportedly) & (IMO) old tech. I used it for a while, but I still had B.O. (kidding)

@Easter - I keep all my $$$ in the 1st National Bank of Funafuti, so I have no choice but to use the internet. (Kidding) But seriously -- despite DNS poisoning, XSS & all the other ap-cray -- transacting business on the net is both safe & efficient (if you know what you're doing).

@All- I use Paypal's little electronic gadget that generates a unique additional pass-number for each transaction. If someone somehow copied one of my logons to Paypal, he would have a copy of a 1-time pass-number that would be useless for any future transactions. I have heard that some banks are moving toward this sort of double-check.

My point is: I for one do not intend to let any threat cause me to run & hide. Paypal's little gadget is one way to avoid the consequences if I get DNS-poisoned (despite all my other security precautions). There is always going to be another new threat, & the good guys will always develop a way to de-fuze that threat. That's what makes Wilders so interesting, wot!!!

There never was a horse that couldn't be rode.
There never was a rider that couldn't be throwed.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

P.S. My advice to DNS poisoners -- Never slap a man who’s chewing tobacco.

{QUOTE-> I truly don't understand why peeps use the internet to pass credit card info or banking data across a line that's continually proven unsafe for a long time, unless you enjoy contributing free money to unknown recipients just waiting for your gift.

Thats why they invented the telephone and ATM's as well as the postal service, of course branches have their open hours too to do business one on one. If a business doesn't have a phone and i make a transaction without a reference number, it don't fly with me. <-QUOTE}
Because it is more convenient to shop online. You choose the item you want, enter your info, then submit. Besides, even if you don't shop online, your credit card information could still be compromised because they are stored somewhere that is connected to the internet.

Identity Theft is inevitable, but it can be greatly reduced.

{QUOTE-> Thats why they invented the telephone and ATM's as well as the postal service <-QUOTE}Those three avenues are not immune to MITM attacks no more so than Internet commerce. They all have their own protection and We as individuals have to do our part in helping with that layer of protection also.