DNS
Latest
Comcast network upgrade blocks DNS blocking, could make SOPA self-incompatible
Now here's a quirky twist in the ongoing SOPA opera. Comcast has just deployed DNSSEC technology across its entire internet service, which adds an extra layer of security to websites by checking that they have a special DNS signature to prove their identity. All well and good, except that in the process Comcast has been forced to admit that DNSSEC is "technically incompatible" with DNS redirect tools -- which happen to be precisely the tools that the Stop Online Piracy Act would use to block websites accused of copyright violation. The irony only deepens when you realize that Comcast is a major proponent of SOPA and, if anything, ought to be able to comply with its future edicts.
The SOPAbox: Defeating online piracy by destroying the internet
Disclaimer: The Soapbox column is entirely the opinion of this week's writer and does not necessarily reflect the views of Massively as a whole. If you're afraid of opinions other than your own, you might want to skip this column. Unless you've been living under a rock, chances are you've heard of SOPA and PIPA. The Stop Online Piracy Act and PROTECT IP Act are two radical pieces of copyright legislation currently being pushed through the US government. Although the stated intent of the new legislation is to provide companies with additional tools with which to combat piracy, the bill's loose wording has raised some serious alarm bells. Opponents to the proposed law say it would give corporations the ability to shut down any almost any website under the guise of protecting copyright infringement. Gamers will be affected worst of all, as the loose wording of the law makes any website with user-submitted content potentially vulnerable to a shut down order. That could include YouTube, Facebook, Twitter, any blog with a comment section, or even any online game with a chat system. Perhaps the scariest part is that you'll be affected even if you're not in the US, as one of the new law's enforcement mechanisms is to remove a site from the DNS records, a move that assumes the US has jurisdiction over the global Domain Name System. AOL is among many huge companies strongly opposing SOPA, and so naturally Massively opposes it too. In this week's massive two-page Soapbox, I make the case for why you should be worried about SOPA, and I suggest what can be done to tackle piracy in the games industry. Comments can be left on page two.
Global Internet Speedup pushes DNS optimization, wants to bring content closer to you
When you think of factors affecting Internet speed, domain name servers probably don't top your list. But a consortium including Google, OpenDNS and a number of content delivery networks believes otherwise, and wants to draw attention to DNS optimization. To that end they've proposed the Global Internet Speedup initiative. What's that, you ask? The group wants to append truncated IP addresses to typical webpage requests: that will provide geographic information, letting providers make better choices about how to serve their users. For example, if a user in Kalamazoo, Michigan happens to have a DNS server in San Francisco, that server might pass the request off to the nearest content network – also in San Francisco. That means having to push data from SF to Kalamazoo, which is obviously a longer trip than necessary. If the DNS server knew just where its requests originated, geographically, it could make smarter choices about content providers: that Kalamazoo user, say, might instead use a Detroit content network. Not everyone's on board with the plan; Akamai isn't impressed, saying there are better ways to speed up the net. But you'll surely earn geek cred for bringing up DNS optimization at your next cocktail party.
Google wants to speed up your site, while resisting the urge to sell you stuff
Google has plenty of things going for it, but patience has never really been high on the list -- not surprising, really, for a company that employs scooters to get around the halls of its offices. The search giant has taken a similar approach to the web, offering up a number of services to help speed things up around the old tubes. Page Speed Service is the latest simply named initiative on that front, which has apparently offered up speed improvements of 25 to 60 percent in its early testing phases. How does this magical quickening work? Google grabs content from your servers, rewrites pages with performance best practices, and sends them out through its own servers. The service has raised a few eyebrows, but Google insists that Page Speed Service is all about improving performance, not collecting information for future advertising opportunities.
Apple TV streaming can be hindered by Google DNS
If you are experiencing problems with streaming video on your Apple TV, you may want to take a closer look at your DNS settings, according to Mac developer Joe Maller. Maller recently rented an HD video via iTunes and was astonished to discover it would take two hours to download over a reasonably fast 15-20 MBps Internet connection. Maller searched for an explanation and stumbled upon other users who were reporting the same problem while streaming rentals. According to Maller, the problem occurs when you change your DNS settings from your ISP to a third-party like OpenDNS or GoogleDNS. When you revert your DNS setting to your ISP's servers, the problem disappears. According to Maller's theory, Akamai is able to obtain the correct geography information and accurately route you through the closest server when you use your ISP's DNS settings. If you subvert this process using a third-party DNS service, then the routing from Akamai may be less than optimal. It may even route everyone through the same pipes which causes congestion and slows down streaming. While this intuitively makes sense, Maller only provides anecdotal evidence to support this theory. Until more evidence surfaces, I would not go around telling everyone they need to ditch OpenDNS or GoogleDNS. Nonetheless, this possible DNS effect is something to store in the back of your mind as changing your DNS is potentially a quick and easy solution if you are having difficulties while streaming Apple TV rentals. [Via ZDNet]
Comcast internet down in the midwest, DNS servers to blame again
Deja vu all over again? Not quite -- this time it's Minnesota, Michigan, Illinois and Indiana feeling the pain of no Comcast internet, according to a bevy of tipsters and a series of official ComcastCares tweets. As before, the fix is fairly simple, assuming you know how to manually switch your DNS -- just point your computer to a public domain name server (like Google's at 8.8.8.8 and 8.8.4.4, but there are plenty of others) and things should re-route themselves in seconds flat. Friends don't let friends go without a connection, so if you know someone who's likely affected but won't find out what's wrong until it's too late, why not shoot them a text message or something to share the fix? [Thanks to everyone who sent this in]
US government seizes domain names, claims to have a warrant
We're all for bashing botnets, but the US Immigrations and Customs Enforcement (ICE) may have crossed a line -- in the midst of nabbing counterfeiters this weekend, the government organization seized the domains of a torrent meta-tracker and a trio of music sites. Today, the picture above is the only thing you'll see if you go to Torrent-Finder.com, RapGodFathers.com, Dajaz1.com or OnSmash.com, as the ICANN domain registration for the four are now in the ICE's possession, presumably on suspicion of piracy. If you ask the original domain owners however, they'll vehemently refute such allegations -- the torrent site reportedly didn't even distribute torrents themselves, merely cross-referenced other sites that do, and a RapGodFathers representative told TorrentFreak that it had complied with all DMCA takedown notifications. Apparently the websites and servers themselves are still intact, and it's only the URLs at stake, as two of the four websites are already up and running at domains ending in .info. We have to admit, this particular brand of domain squatting could be an intriguing business model. Expect "seized domains" to be tacked onto the laundry list of "Valuable Items You Too Can Buy at Government Auction!" any day now. [Thanks, Brian]
Seven physical keys serve as the internet's horcrux
The internet may not have a kill switch, but there really are a set of keys, developed by ICANN in case of digital catastrophe. Seven keyholders across the world hold smart cards like the ones you see above, each with a piece of the DNSSEC's recovery key. What's that, you say? We're glad you asked -- DNSSEC's an initiative to make sure websites are who they say. To do that, it needs a way of authenticating domain names with a cryptographic master key, and a replacement copy of that key is the item these individuals are safeguarding. Even banded together, the individuals have no power over the internet at large -- the tokens simply allow the world to reboot the authentication system in case ICANN's two facilities happen to simultaneously go down. Policies and procedures dictating how this all works sadly include neither demonic keymasters nor secret societies, but you're welcome to hit up our more coverage link for the deep dive.
Researcher will enable hackers to take over millions of home routers
Cisco and company, you've got approximately seven days before a security researcher rains down exploits on your web-based home router parade. Seismic's Craig Heffner claims he's got a tool that can hack "millions" of gateways using a new spin on the age-old DNS rebinding vulnerability, and plans to release it into the wild at the Black Hat 2010 conference next week. He's already tested his hack on thirty different models, of which more than half were vulnerable, including two versions of the ubiquitous Linksys WRT54G (pictured above) and devices running certain DD-WRT and OpenWRT Linux-based firmware. To combat the hack, the usual precautions apply -- for the love of Mitnick, change your default password! -- but Heffner believes the only real fix will come by prodding manufacturers into action. See a list of easily compromised routers at the more coverage link.
Manage your DNS settings for faster web browsing
In the Network Settings pane of your System Preferences, you may have noticed that you can manually set the DNS servers your connection will use. There are a few reasons for doing this, namely speeding up the time it takes to look up any given website, but also to bypass some annoyances in your ISP's (or IT department's) default name server. Such annoyances could include domain blocking, censorship and other things you may or may not know are even happening. For the most part, though, you'd change your DNS settings to make sure you were using the fastest possible server from your current location. Read on to find out how!
Bypass PS3 firmware 3.21 in seconds -- at your own risk (update: defunct)
Face it: Sony's backed you into a corner. You can't play PS3 online without downloading the 3.21 firmware update, but if you download, your precious 'Other OS' is forfeit -- and there may be side effects. You could wait it out, hoping Geohot comes through with a workaround. You could even sue Sony for a refund if you live in Europe. Or, if you're not terribly worried about the security of your PSN account and personal information, you could instead input just ten digits into your PS3 and magically bypass the entire issue. Though technically minded individuals have been skirting Sony's firmware checks for years now using private proxies, homebrew developer Aaron Lindsay decided to set up a public server at 67.202.81.137, which allows anyone to piggyback on his success in mere seconds -- we tried it ourselves, and it worked like a charm. By doing so, you run the risk of giving Aaron all your credentials... but if the odd identity theft doesn't break your stride, you can jump right back into that Uncharted 2 session by entering the above number into Internet Connection Settings > DNS Setting > Primary DNS. Update: As of April 13, the proxy DNS trick no longer works. We're not sure why, but considering how long the hacking community holds a grudge, we expect a workaround in due time.
Pogue-praised Line2 is offline for the moment
The price of fame: earlier this week, David Pogue lavished Toktumi's VoIP app Line2 with a hearty helping of NYT love, saying that the $1 app (which requires a $15 monthly subscription) "has the potential to shake up an entire industry." We first mentioned the service back in February, and while Steve wasn't quite as enthusiastic as David P., he did acknowledge that it's a great tool for small businesses or heavy phone users. As of last night, however, the Line2 service is temporarily offline and the app has been voluntarily pulled from the App Store; as Technologizer reports, the company's servers are being targeted by a DNS attack, and the service quality was degraded to the point where Toktumi execs felt that it was better to avoid a bad initial experience for new users while they resolved the problem. Toktumi is updating users via its Twitter feed as to the anticipated resolution. Seeing an app summarily pulled from the App Store, or rejected on specious grounds, has certainly happened before in the VoIP, audio and telephony space (in fact, just this morning the developers of Snowtape let us know that they're struggling to get their app through approval), so it was understandable that reader Arnoldo was anxious when he sent in an email this morning about the outage. In this case, however, it's not Apple pulling the strings.
Solutions for login issues
We are continuing to get tips from readers that they are having login issues. If you are one of the many still having trouble logging in, commenter tknogk suggested flushing your DNS and Blizzard has backed this up with more detailed advice.Blue poster, Syndri, suggests three possible resolutions for the login problems: Reboot your computer. Flush your DNS cache. Power cycle your modem and/or router. If none of these solutions solve your problem, Syndri seems to be closely monitoring the login server down post in the Technical Support Forums and you may be able to get further help by posting in there.Please let us know in the comments if this solved your login issues.Edited to add: Blizzard is not saying it is the fault of the people having problems. They made changes on their end and we just need to update things on our end in order to be able to connect properly again.
Sophos video shows Mac trojan caught in the act
Apple Mac malware: Caught on camera from Sophos Labs on Vimeo. It's not every day that you can watch Mac malware in action, but the team at Sophos Labs has put together the demonstration video above; it shows a malicious installer downloaded from a site pretending to serve up an HD video player, which actually carries the RSPlug-F trojan. Even though Mac users would still have to provide admin credentials to install the application (unlike Windows users, who might catch the Zlob malware just by visiting the webpage), it would be perfectly natural to go ahead and authenticate after downloading an installer... but not a good idea in this case. The fake site and bogus application are appearing in two versions, one billed as MacCinema and another trying to steal the goodwill of a legitimate Windows app called HDTV Player (the real app is from blazevideo.com). RSPlug-F does try to change your DNS settings to point at bad-guy controlled servers, which could conceivably result in you being redirected to malicious or phony sites; however, if your ISP is on the ball, those bogus DNS servers are already blocked. The only way to catch this bit of malware is via the installer, but it's easy to see how an innocent Mac user might be fooled by the convincing-seeming download site. [H/T Ars Technica Infinite Loop]
10.5.5 update fixes DNS vulnerability
Apple's Mac OS X 10.5.5 update (and Security Update 2008-006) fixes a critical DNS vulnerability that could allow attackers to trick victims into visiting malicious Web sites using what's known as a "cache poisoning attack." We wrote about the vulnerability in August. Although Apple's release notes say BIND was updated "to address performance issues," the update also delivers the promised address port randomization that protects users from such cache poisoning attacks. The original patch offered protection for Apple's servers but did not completely protect client systems. Apple's updates fixed flaws in several applications and system components, including some that attackers could use to run unauthorized software on a user's computer. [Via IDG.]
iPod touch firmware, Bonjour for Windows close security holes
It's not all new features and delight behind the scenes with the now-shipping iPod touch 2.1 firmware -- among the updates and changes are five patches to address security issues with the device. Frameworks that have been tweaked include the Application Sandbox, CoreGraphics, the mDNSResponder, Networking, and WebKit. The mDNS fix tackles the Dan Kaminsky DNS vulnerability that sparked controversy over the pace of Apple's patch releases... yet more proof that the iPod touch is a teensy little computer, with all the risks and challenges thereto. You can review the security notes for the update at Apple's security site, and of course you can download the update through iTunes.Also updated for security purposes today was the Bonjour for Windows package, now at version 1.0.5. This utility, which gives XP and Vista machines access to zero-configuration network resources such as printers or Mac OS X web sharing, now includes a couple of DNS-related patches including one for the vulnerability noted above. See here for the full details; Bonjour for Windows is downloadable from Apple as well.
Apple's DNS patch coming up short
The distance between good intentions and actual results seems to be getting longer and longer. While Apple did release a security patch yesterday that included a fix to BIND for the highly publicized cache poisoning exploit -- some time after most other vendors got updates out to customers -- that fix doesn't seem to be, you know, actually working.Multiple sources have noted that Apple's DNS patch, at least on Mac OS X 10.4 and 10.5 client versions, isn't implementing the key feature that's meant to block cache poisoning: port randomization on requests. While the same version of BIND running on Linux systems behaves as expected, Mac OS X machines doggedly issue DNS requests on sequential ports, making them far more vulnerable to spoofing by malicious folk.This may seem like an esoteric vulnerability, and indeed for most Mac users the more important question is whether or not your ISP or network manager has patched the primary DNS servers you rely on (you can check your DNS server status via Dan Kaminsky's tool here). The behavior of Apple on this security issue, however, is very troubling. Waiting weeks to issue a patch for a key vulnerability and lagging behind other OS vendors is bad enough; shipping that patch only to have the user community discover that it doesn't work worth a bucket of warm spit ... that's not the act of a company that claims to care deeply about the security of its customers.Update: Kaminsky suggests that we lighten up; Mac OS X Server (which would be the most vulnerable to attack, if it serves as the primary DNS for your network) has been patched, even if the client patch isn't behaving properly yet.
Apple Security fix includes BIND update
Yesterday, shortly after I read TidBITS' post on securing the DNS flaw that Apple had ignored for a while, Apple released a security fix which finally took care of the situation. This comes 3 weeks after the security industry began taking matters into their own hands. This fix does overwrite the files updated in the TidBITs post on manually correcting the issue, mentioned above. In Apple's notes on the update, they mention fixes for: Open Scripting Architecture, which addresses the ARDAgent issue which allowed Trojan Horses and non-administrator users to gain root access The aforementioned BIND issue which allowed for DNS poisoning (allowing malicious websites to forge their identity) A CarbonCore stack buffer overflow which allowed for arbitrary code execution A CoreGraphics memory corruption issue and a CoreGraphics PDF weakness, both allowing for arbitrary code execution A Data Detectors issue which could be exploited for [DOS](http://en.wikipedia.org/wiki/Denial-of-service_attack) attacks A Repair Permissions/emacs exploit in Disk Utility An LDAP weakness An OpenSSL weakness Multiple PHP vulnerabilities A flaw in QuickLook's handling of maliciously crafted Microsoft Office files An issue with rsync's handling of symbolic links Some of those had been reported, some I hadn't heard about previously, but I'm certainly feeling more secure this morning. [via Macworld]
GoDaddy invades WoW Armory
In one of the most bizarre things I've seen happen to the World of Warcraft in my three years playing, the WoW Armory site today is pointing to a generic GoDaddy.com domain parking page. The screenshot above was taken at 1:08 p.m. CST on March 2nd, 2008. WoW Insider has received numerous reports of this. It seems to be a DNS related issue. The domain name wowarmory.com expires today, and it appears as if a registrant has grabbed the wowarmory.com domain name as soon as it expired.DNS entries for blizzard.com and worldofwarcraft.com point to cerf.net, while the DNS servers for wowarmory.com are currently pointing to domaincontrol.com. While some of you might be seeing wowarmory.com work correctly, others are not. The ISPs of people who are seeing it work have not had their DNS records updated yet, however within the next 48 hours they will see wowarmoy.com go down as well; unless Blizzard fixes this before then (I am sure they are already aware, or becoming aware of it).Stay tuned to WoW Insider for the latest on this story.Thanks to Matthew Rossi and his wife for contributing to the technical sleuthing in this post.Updated 2:34 p.m. EST: You can access the armory using a sub-domain of worldofwarcraft.com by going to http://armory.worldofwarcraft.com/Updated 3:03 p.m. EST: http://www.wowarmory.com/ is now working again. It looks like Blizzard really jumped on the issue and fixed it.
Solving recent connection issues
Many of us, both in and outside of the United States, have been having serious connection issues with the game recently. Not only can we not connect to the game, but we can't even get on the main World of Warcraft website. This can be particularly infuriating because we can't go and find help. When I got dropped in the middle of Kael'Thas (the real fight, not the weeksauce one in Magisters' Terrace), I wanted to take my computer out to a field and yell obscenities at it about PC load letter.WoW Insider feels your pain! After all, imagine having to write about WoW only to find out you can't get into WoW.I wanted to answer a lot of the comments about what people can do. First and foremost, we're not Blizzard. So we can't really say for sure what's going on. We can make educated guesses through. Continue reading after the break for what you can do and where you can go to solve this problem.
