Apple Fails to Patch DNS ‘Cache Poisoning’ Attack
The previously hypothetical DNS cache poisoning bug you’ve no doubt heard about has made its way into the wild. That isn’t all that surprising given that there are no less than three publicly available exploits, which have been downloaded some ten thousand times.
What’s disturbing isn’t that the code is in the wild and potentially on your DNS server. No the problems is that, despite a concerted effort by vendors, there are still countless unpatched servers out there.
Apple especially has failed to protect its users. Even the normally Apple-supportive Tidbits blog has called the company out for failing to patch its OS X Server software.
The really sad thing in Apple’s case is that Internet Systems Consortium BIND DNS server, which is what OS X Server uses, was one of the first patched systems made available. Apple has simply declined to pass the patch on to its users leaving them vulnerable to DNS cache poisoning and other attacks.
So how do you know if your ISP has patched your DNS Server? Well, the short answer is you probably don’t. You could dig through and see if your ISP has made an announcement. Or maybe call customer service (good luck with that).
Or you could just replace your DNS server with one that you know is secure. It isn’t hard to do at all and we’ve got a new OpenDNS tutorial to walk you through the few steps it takes to setup OpenDNS as your DNS servers. OpenDNS isn’t affected by this latest bug and as an added bonus it’s generally faster than what your ISP uses.