Kaminsky DNS Exploit revealed - What you should do

In recent weeks, the so-called "Kaminsky exploit" for DNS servers has garnered much attention.  The exploit makes it relatively easy for an attacker to execute a "cache poisoning" attack on a DNS cache server.  These cache servers are what a user's browser relies on to tell it what IP address is hosting the content for a particular hostname. In a DNS cache poisoning attack, an exploit can create false entries for legitimate hostnames and thus direct unsuspecting users to fake sites controlled by the attacker.  From the user's point of view, the fake site would have the proper URL.

For several weeks now, the DNS and security communities have been urging all ISPs, large companies and others that maintain DNS caching servers to install the software patches that have been quickly developed since this exploit was first discovered by security researcher Dan Kaminsky several months ago.  At that time, Kaminsky quietly informed leaders in the DNS community about the problem and together they organized a secret, industry-wide, coordinated effort to develop and release the software fixes before the details of the exploit became publicly known.

As of now, the details of the exploit and the patches are publicly known.  A fairly straightforward explanation of the exploit may be found in this blog entry.  Basically, the patches add the feature of randomizing the source port for a server's DNS requests. Since the Kaminsky exploit relies in part on a predictable source port, adding source port randomization makes the exploit impractical to execute and renders it effectively useless.  However, on unpatched DNS servers, the Kaminsky exploit would be highly effective.  As of now, well over 50% of DNS servers remain unpatched, including those at some very large ISPs.  

If you are a phishing target, your customers are vulnerable to this exploit if the ISP they rely on for DNS has not patched its servers.  Internet Identity recommends that you determine which ISPs are used by your customers, and that you urge those ISPs to implement the appropriate patches immediately.  You should also make sure your own corporate networks' DNS servers (and any upstream servers they rely on) are patched so attackers cannot redirect your employees to phishing, malware or other sites where they could have their computers or credentials compromised.