Yesterday, I posted a tweet (http://twitter.com/ejhildreth/statuses/871831244) encouraging people that use CableOne as their Internet Service Provider (ISP) to run the free test at http://doxpara.com. Doxpara.com provides a Domain Name Server (DNS) tool that checks to see if your ISP's servers appear to be vulnerable to DNS Cache Poisoning (this allows the ability for somebody to impersonate any website). The test was created because there is an exploit out in the wild and *most* ISPs were still scrambling to get the hole patched.
Even though the likelihood of an attack on my home network was low, I didn't want to take any chances. I immediately switched my home router over to the DNS servers used by OpenDNS (http://www.opendns.com) because they were reporting that they had patched the vulnerability on their systems. Also, I went ahead and tried to contact CableOne to see when they were planning on patching the hole. Since this was a low priority for me, I simply sent CableOne an email to their tech support asking this question:
"According to the test at doxpara.com, the DNS server that my account is connected to appears to be vulnerable to DNS Cache Poisoning. Is CableOne working on patching this hole?"
The response I got was ludicrous:
"There does not appear to be any disruption in service with our DNS system. Please point your browser to the following link for further information regarding your question or issue: http://support.microsoft.com/kb/951748"
Okay, the first point is true, their DNS system is indeed working (which, incidentally, I never said wasn't). However, the problem is that if they haven't patched the DNS server, it is working incorrectly. Writing secure code has its difficulties and as a result, bugs in software are a common occurrence. The thing is, once these bugs are found out and patched there tends to be a window of opportunity between when malicious software writers try and exploit this known vulnerability and the time it takes for people to patch their systems. As a CableOne customer, I was just wanting to know a. if they were aware of this and b. when they were going to fix it.
The second part points me to a Microsoft Knowledge Base Article discussing the DNS Cache Poisoning issue and how Microsoft has patches out there for it. As many people know, Microsoft releases their updates the second Tuesday of every month (Patch Tuesday) and this knowledge base article goes into the details of the fix. Here's the kicker: I AM RUNNING KUBUNTU LINUX! THESE PATCHES DO NOT HELP ME FIX YOUR SERVER! It is not a flaw on my system, it appears to be on the DNS server that CableOne manages (assuming that the doxpara.com test are accurate). Also, CableOne, is it a good idea to let people know that the thing you think fixed your DNS tells everybody that you are potentially running a Windows Server 2003 or a Windows Server 2000 box?
Sigh! CableOne, your it's not us it's you approach saddens me. All I really wanted was to have was a good, open dialog that answered my concerns.