« Lot's of questions about High Definition | Main | Thursday article links »

Wednesday, July 30, 2008

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Chris Buechler

Insight was slow to patch this DNS issue. I don't use Insight DNS servers on any of my Insight connections, but tested out of curiosity. After the details of the issue were inadvertently disclosed early and exploit code was available, it was still at least a few days until Insight had patched the issue.

It does look good now though.
$ dig +short porttest.dns-oarc.net TXT @74.128.1.31
porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"74.128.1.31 is GREAT: 52 queries in 28.9 seconds from 52 ports with std dev 19251"

It could be worse - AT&T had a DNS server cache poisoned from this vulnerability.
http://isc.sans.org/diary.html?storyid=4801
I would guess Insight probably didn't see any such thing. But they still left customers at risk by the slow response on this, it was at least two weeks before the patch was applied. Proactive? Hardly! I understand you have to test these things first, but it doesn't take two weeks to properly test this DNS patch. And yes, I do run significant networks and am well versed in DNS - sorry, can't pull the "never run a network" bit on me. ;)

On the topic of DNS, I have a serious problem with what Insight does with NXDOMAIN queries. For the less technical, this is the cause of the not-found-entry spammy looking pages you get when you mistype a URL. It *should* appear to users the same as it did to me when I first saw it. I assumed the PC I was on, which wasn't mine personally, was infected with spyware. Insight even does this on the several business connections I manage. It's unethical, has privacy concerns (sends all your typos to some company that has a far less than ethical appearance), and there is no legit means of opting out (the "opt out" available is a joke, it doesn't truly opt you out).

I suggest all Insight customers, and any customers of any ISP that does similar things use OpenDNS instead of their ISP's DNS servers. http://www.opendns.com It's free, and also offers some nice additional functionality such as content filtering. For the techies, it won't return NXDOMAIN by default but if you sign up for a free account you can enable it. For me, I can't do my job on my business class Insight connections using their DNS servers because they don't return NXDOMAIN. Part of my job is network security testing, and a number of security tools require NXDOMAIN responses to function properly.

Overall I'm a happy Insight residential and business customer, with service at a number of locations, but am disappointed in both of these areas.

The comments to this entry are closed.