Still using a Netgear R7000 Nighthawk, it's running Xwrt-Vortex.

The S in the IoT stands for security. Sarcasm aside, hope that a patch will be released soon.

OpenWRT is not using uClibc/uClibc-ng since 2015: https://forum.openwrt.org/t/nozomi-dns-poisoning-bug-affects-openwrt/126768

I manually configure DNS on my network adapters. Only needs to be done once.

Mufflore:

I manually configure DNS on my network adapters. Only needs to be done once.

Yeah on everything my self I have DNS set up to 1.1.1.1 !

Mufflore:

I manually configure DNS on my network adapters. Only needs to be done once.

Venix:

Yeah on everything my self I have DNS set up to 1.1.1.1 !

I just read the CVE and some additional articles about it. Turns out static DNS addresses won't help here. Even if you have a static IP address on all of your devices, the DNS requests must still traverse your router and proceed to whatever destination you have set. Any infected device between the client and the DNS server can attempt to respond with a malicious DNS response while masquerading as the correct DNS server. DNS is a well-known protocol and is not encrypted. Here's another interesting bit about DNS IP addresses. I know some ISPs and consumer routers (usually ISP rentals) have been known to replace the destination DNS IP address found in a packet with the "preferred" DNS IP address all done transparently to the user so you would never know, unless you have a packet sniffer sitting between the router and the ISP (which only catches the router's replacement and not the ISP's replacement). Destination DNS IP replacement is also very likely to happen with an infected router.

Ub3rslay3r:

I just read the CVE and some additional articles about it. Turns out static DNS addresses won't help here. Even if you have a static IP address on all of your devices, the DNS requests must still traverse your router and proceed to whatever destination you have set. Any infected device between the client and the DNS server can attempt to respond with a malicious DNS response while masquerading as the correct DNS server. DNS is a well-known protocol and is not encrypted. Here's another interesting bit about DNS IP addresses. I know some ISPs and consumer routers (usually ISP rentals) have been known to replace the destination DNS IP address found in a packet with the "preferred" DNS IP address all done transparently to the user so you would never know, unless you have a packet sniffer sitting between the router and the ISP (which only catches the router's replacement and not the ISP's replacement). Destination DNS IP replacement is also very likely to happen with an infected router.

I see that seems like a major headache thanks for the info!

So, if one really isnt a network enthusiast/pro, how does one protect things from this? Asking for a friend.

AuerX:

So, if one really isnt a network enthusiast/pro, how does one protect things from this? Asking for a friend.

Hope you havent got vulnerable equipment. Info on whats affected hasnt been released yet.

AuerX:

So, if one really isnt a network enthusiast/pro, how does one protect things from this? Asking for a friend.

Basically what Mufflore said. Also, make sure your devices use the firewalls built into them whenever possible. Thankfully, most reputable manufacturers will update the firmware on their devices to patch issues like this fairly quickly, so also be sure to watch for firmware updates. If you want to keep an eye on the list of vulnerable devices as it's updated, check this when you can: https://www.kb.cert.org/vuls/id/473698 If you really want to go for it, you can set-up your own DNS server, and ensure it doesn't use the affected libraries, but that opens up a lot of other possible issues and vulnerabilities, so I don't recommend it for individuals.