One of the companies most at risk from the notorious DNS cache poisoning vulnerability has overhauled security in the latest release of its DNS server software in what looks like a major code rethink.
Nominum, which supplies a decent chunk of the global market for such servers, said it has just finished rolling out a major security upgrade to its server platform, Vantio caching DNS server, and introduced a range of new security "layers" beyond the basic Source Port Randomisation (UDP SPR) fix suggested at the time the flaw was announced in early July by IOActive researcher, Dan Kaminsky.
The latest release of Vantio now features a swathe of security features that weren't there before, including the ability to block poisoning attacks against valuable domains, enhanced query response spoofing defences which switches DNS resolution to a secure back-channel if attacked, and a new Query Response Screening system to weed out DNS poisoning attempts using fake requests.
The server also now logs where attacks originate - in contrast to the Internet generally, it is very hard to hide from DNS servers - and alerts an ISP or network if attacks have been detected.
Importantly, Nominum has also come up with a fix for the potentially major issue of using Network Address Translation (NAT) in front of an otherwise patched DNS server. Firewall and load balancing NAT assigns UDP ports sequentially, which would have rendered the port randomisation defence useless.