Home / News

New Report Warns Against "DNS Forgery Pharming" on BIND 9

In a recent report released by Trusteer, security researcher Amit Klein has cracked BIND's random number generator and demonstrated a new attack affecting most Internet users. In this "DNS Forgery Pharming" attack fraudsters can remotely force consumers to visit fraudulent websites without compromising any computer or network device.

The report advises ISPs and Enterprises managing a BIND 9 DNS server in a caching configuration to apply the latest patch released by the ISC. Existing desktop security solutions cannot protect against this type of attacks since DNS forgery pharming does not involve the user's computer or the DNS server but rather the cached data on the DNS server.

Read full story: External Source

By CircleID Reporter – CircleID's internal staff reporting on news tips and developing stories. Do you have information the professional Internet community should be aware of? Contact us. Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet


Re: New Report Warns Against "DNS Forgery Pharming" on BIND 9 By Matthew Elvey  –  Jul 30, 2007 10:20 pm PDT

This issue makes me worry much more about the huge number of root certificates that ship with the major browsers and OSes.  Why do I need to have 50 root certificates?  Seems like it would be better to get rid of most of them.  I wouldn't be surprised if I can get a cert for www.bankofamerica.com from, say Equifax, or one of the other of dozens of CAs, even though verisign has already issued one.  All I'd need to do is launch a DNS poisoning attack on the CA's DNS servers.  Hmm… maybe I should keep my mouth shut.  AFAIK, there are no plans or efforts to prevent or detect such occurrences.  (Other than the enhanced security cert push, and I haven't noticed any of the major players upgrading to these certs.)

Add Your Comments

 To post your comments, please login or create an account.



Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byAppdetex


Sponsored byVerisign


Sponsored byThreat Intelligence Platform


Sponsored byWhoisXML API

DNS Security

Sponsored byAfilias

New TLDs

Sponsored byAfilias

IP Addressing

Sponsored byIPv4.Global