Dealing with Kaminsky
In the summer of 2008, security researcher Dan Kaminsky published information about vulnerabilities in DNS. Other vulnerabilities were already known, but the so-called Kaminsky bug was something quite new.
There are two types of name servers, authoritative name servers and recursive resolvers. The authoritative name servers give out information about domain names to the public and are not directly affected by the Kaminsky bug, although they play an important part in eliminating the vulnerability. A recursive resolver is used when your computer is looking up domain names and translating them into IP numbers. It is this function that can be vulnerable because of the Kaminsky bug.
Updates are available
The typical recursive resolver software utilities are ISC BIND, Unbound and Microsoft DNS Server. Due to the graveness of the vulnerabilities that Dan Kaminsky had discovered, he informed all the suppliers of DNS software before spreading the information on to the general public. Thus, the suppliers could develop fixes to the bug in advance. That is why your system manager should not have any problem to update your recursive resolver software utilities.
In spite of the upgrades being available, it will take some time before all the recursive resolvers have been dealt with. Large-scale name servers, for example at your Internet service provider, have surely been upgraded by now. Their authoritative name servers probably already use DNSSEC as well. This is a series of extensions to DNS which, amongst other things, make sure that the answers to DNS queries come from the right server by using digital signatures (read more below).
But there are also recursive resolvers that nobody cares about. Maybe a system manager has changed jobs and the new hand does not know exactly how all services work at your company. To find out if a name server that you are using is vulnerable or uses DNSSEC you can use this website's "Test your computer" feature.
Upgrade your software
If the test indicates that you are using a vulnerable recursive resolver it is highly recommended to upgrade to a version of your name server software that makes a Kaminsky attack more difficult to carry out. Contact your operating system or software vendor if you don’t know how to get hold of the necessary upgrades.
DNSSEC is the solution
The long-term solution for the threat posed by the Kaminsky bug is that the name servers on the Internet start using DNSSEC (DNS Security Extensions). These extensions to DNS make domain name lookups secure by signing them cryptographically. This way it is possible to guarantee that the answers to DNS queries really emanate from the correct source and have not been tampered with in transit. (You can read more on DNSSEC here.)
In order for you to be sure that the DNSSEC signed answer comes from the right source, your recursive resolver must also check that the signature has been created with the correct key. This is done through following a so-called “chain of trust” and for the .se zone this ends up in the trust of the .se domain. If you want your recursive resolver to use DNSSEC for the .se zone, you should follow the instructions found here.
