August 4, 2008
By Robert McMillan

Nearly a month after a critical flaw in the Internet's Domain Name System was first reported, vendors of some of the most widely used firewall software packages are scrambling to fix a problem that can essentially undo portions of the patches that address this bug.

The DNS flaw affects server software made by many vendors, including Microsoft, Cisco Systems, and the Internet Systems Consortium. Some firewall software undoes a source port randomization feature that was introduced in the DNS patches. While this change doesn't completely negate the DNS patch, it could make it easier for attackers to pull off a cache-poisoning attack against the DNS server, security experts say.

This could lead to virtually undetectable phishing attacks against users of those DNS servers. Firewalls that do IP address translation -- converting the IP addresses used by computers on their internal networks to different IP addresses that are used by the other computers on the Internet -- can sometimes undo the source port randomization, security experts say.

The scope of the problem initially took some DNS experts by surprise, said Dan Kaminsky, the IOActive researcher who first discovered the DNS bug. "This is to some degree our fault," he said in an e-mail interview. "We underestimated the number of firewalls out there that were deployed in front of DNS servers." "Cisco, Juniper, Citrix and a number of other firewall vendors have been absolutely scrambling to update their equipment," he added.