Whether you're running Linux, Windows, Cisco, Sun, or other DNS servers, you are at risk from a newly discovered vulnerability. So says Dan Kaminsky, head of penetration testing research at IO Active, who accidently discovered the DNS "design flaw" earlier this year.
You can check whether the DNS servers you use are vulnerable by clicking the Check My DNS button in the upper right corner of Kaminsky's Web site.
Kaminsky says he made the discovery entirely by accident. When he realized the flaw was a fundamental design flaw that is universal in scope, he called for a summit of security researchers to decide on a course of action. That summit took place on the Microsoft campus on March 31, and out of it a multi-vendor patch solution was developed. Microsoft, Sun, Cisco, Bind, and other firms will be releasing patches for the flaw today. Linux distributions are expected to start providing patches today as well. Debian users already can find Bind patch instructions online.
The problem in general terms is described as insufficient randomness. Vendors have tried to deliver the fix in a way that can't be reverse-engineered to reveal the actual flaw. Full details on the flaw will not be revealed for 30 days, in order to allow system administrators time to evaluate and apply patches to their DNS servers. DNS clients are also at risk, but to a much smaller degree, and the focus at present continues to be on DNS servers.
According to Kaminsky, the rule for applying patches for this flaw should be, "If it recurses, patch it."