Securing DNS on OSX


It’s been a few weeks since [Dan Kaminsky] announced the nature of the DNS vulnerability and allowed 30 days of non-disclosure for patches to be applied before details of the exploit went public. Unfortunately, the details were leaked early and it didn’t take long for a functional exploit to be released into the wild. Since then, many ISPs have taken steps to prevent their users from falling victim to the attack, and BIND, the widely-used DNS protocol implementation, was updated to minimize the threat. Even then, there were reports of a version of the attack being actively used on AT&T’s DNS servers.

Mac OSX uses a BIND implementation but as of yet, Apple has not released a patch updating the system (Microsoft, on the other hand, patched this up on July 8). As a result, machines running OSX are at risk of being exploited. Individual users are less likely to be targeted, since the attacks are directed towards servers, but it’s not a smart idea to leave this vulnerability open. [Glenn Fleishman] has published a way to update BIND on OSX manually, rather than waiting on Apple to patch it themselves. It requires Xcode and a bit of terminal work, but it’s a relatively painless update. When we tried it, the “make test” step skipped a few tests and told us to run “bin/tests/system/ifconfig.sh up”. That allowed us to re-run the tests and continue the update without further interruption. [Fleischman] warns that people who manually update BIND may break the official update, but he will update his instructions when it happens with any possible workarounds. Unfortunately, this fix only works for 10.5 but alternative, yet less effective methods may work for 10.4 and earlier.

If you’d like to know if your preferred DNS servers are vulnerable or not, you can use the DNS checker tool from Doxpara. As an alternative to your ISP’s DNS servers, you can use OpenDNS, which many prefer for its security features and configuration options.

Comments

  1. sPiTfIrE-K1LL says:

    why would you want to run DNS on a Mac, anyways? (Yes I know it’s Apple, not Mac).

    Windows is for gaming
    Linux is for servers
    Mac is for looking pretty

  2. Geek505 says:

    @sPiTfIrE-K1LL, please do your research before you talk trash.

    Mac OS X is BSD derived, BIND was originally developed on and released for BSD.

    “BIND was originally created by four graduate students with CSRG at the University of California, Berkeley and first released with 4.3BSD. Paul Vixie started maintaining it in 1988 while working for DEC.”

    It’s under a BSD-like licence too.

  3. gm says:

    Patch is out. Check your software update.

    (I’m not even going to bother replying to #1…)

  4. Charlie says:

    Thanks for posting this resourceful acticle. I have secured my DNS and learned a great deal.

  5. sPiTfIrE-K1LL says:

    And just because something runs well in DOS, doesn’t mean it runs well in a Windows environment.

    Check out DHCP on Mac server.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 98,524 other followers