Protecting Internet Name Resolution
Harbor Computer Services will be changing the DNS server forwarder locations and also applying a client and server side DNS patch as an emergency measure. This change is underway now and is a high priority item. It will take precedence over other minor issues. This will require a reboot of your server to take effect. Your technician will schedule this reboot with you.
Background: A few weeks ago a major flaw was discovered in DNS. This flaw affects all DNS servers in the world manufactured by every vendor. The flaw allows the bad guys to redirect your request, to visit google.com for example, to a spoofed website designed to look like the original site but is infected with malware. This kind of attack is common on websites and many shopping and banking sites have suffered such attacks. What is different about this is that they can now hack the DNS servers themselves.
A DNS server is the thing that translates google.com to the IP address number. Sites on the Internet are organized by number, not by name. The name is only present so humans can remember it. Computers use the number. You have a DNS server in your office. It keeps track of where your Internal computers are located. So when you type h:\sbs\clients your computer turns to the DNS server and says "where's that?". The DNS server responds 192.168.16.2. In this hack, the DNS would instead respond with 208.192.31.40 and your request would be mis-directed to the bad guys. The same thing will happen with external websites as well, if your ISP's DNS server is compromised.
Immediately after this flaw was discovered Microsoft released patches and we began to apply them. However, it was later discovered that the patch caused issues of its own. Between then and now, Microsoft has re-released the patch along with a list of other changes that are necessary to protect the server. We have tested this new round of patches on our server and it has been running without issue for several days now.
In addition to your DNS, your ISP also provides you with a DNS server. In checking with the various ISP's we have found that their servers are not yet patched and can therefore not be trusted. Because of this condition, we are moving all DNS forwarding to OpenDNS. OpenDNS hosts known good, patched DNS servers.
OpenDNS: In addition to providing a known good safe DNS server for you, OpenDNS has some additional advantages that we will talk to your about at a later date to see if you would like to implement. OpenDNS allows us to create shortcuts to commonly used websites to cut down on your typing. For example, if you commonly visit your bank and the URL is https://secure.mybank.com/online/banking we could shorten that to just bank and you would always go to the URL specified. In addition to shortcuts we can also customize OpenDNS to block certain categories of websites.
Your cooperation is appreciated while we make this important change to keep your business safe.
Labels: Announcement
0 Comments:
Post a Comment
<< Home