A few weeks ago the U.S. government posted a warning about a DNS vulnerability:

Multiple DNS Implementations Vulnerable to Cache Poisoning

The vulnerability only affects caching and stub resolvers, which means that if your DNS just serve up zone files for the domains you control and nothing else then your servers are effectively immune.  Unfortunately, it also means that you personally are only as protected as the network providing your Internet connection.

As I understand it, the exploit uses delegation to cause DNS to misdirect users to predatory sites.  Basically, a request is made for some domain.  The name servers responsible for that domain then reply that the authority for the domain has been delegated to, say, YourBank.com and that YourBank.com is located at such-and-such address.  Only... guess what?  The site at the address isn't really Bank of America or Wells Fargo, but is instead a phishing site.  The bad address is now stored in the DNS and, to save network load, from then on instead of looking for your bank's real address the name server will just send users to the phishing site.

So, because this is the result of bad design in the DNS protocol, it looks like the vulnerability can only be minimized, but not eliminated.  One of the creators of the BIND DNS, Paul Vixie, seems to be grasping at the hope that the entire Internet could be moved to Secure DNS (AKA DNSSEC) in something short of the 22nd century.  Failing this, the only approach I have seen mentioned is to upgrade one's DNS to allow port randomization, making the utility of exploiting this vulnerability impractical.

The problem with this approach is that most DNS sit behind little combinations of hardware and software called firewalls, and these firewalls like to control things like ports since that is, you know, their purpose.  I presume that for this to work, the DNS in question would need to either sit outside the firewall or a swath of UDP ports would need to be opened to support the randomization.  The DNS providing zones would also, I assume, have to have the same ports open.  I am unable to find any mention of what the port range might be on the ISC web site however.

The person who discovered the vulnerability, Dan Kaminsky, has posted a tool on his blog for detecting whether the DNS you are currently surfing with is vulnerable.

I'm debating the merits of installing BIND on my MacBook Pro.  If everyone did this, it would have the same Internet-crashing effects as turning off caching.  I suppose I can just use Kaminsky's test when I travel next week and, if a problem is detected, not use that network's DNS.  Thoughts?