DNS hole doesn't go unnoticed

Inventor of DNS architecture says the time to act is now.

A software patch released by Microsoft to plug a hole in the Domain Name System protocol was just one of nine security fixes the company issued last week. And like the others, the DNS patch got only an "important" severity rating, one step below Microsoft's top rating of "critical."

But that belies the amount of attention that the DNS vulnerability is attracting. The discovery of the cache-poisoning flaw earlier this year prompted a rare synchronized patching effort involving Microsoft, Cisco Systems and other vendors. And the disclosure of the vulnerability last week was accompanied by a chorus of calls for IT managers to patch or upgrade their DNS servers -- pronto.

For instance, Paul Mockapetris, who invented the DNS architecture for directing traffic on the Internet, said the time to act is now, before exploits of the flaw become widely available. "The clock is ticking," said Mockapetris, who is chairman and chief scientist at Nominum Inc. -- a name server vendor that was among the companies issuing fixes for the flaw.

The urgency is being fueled by the fact that the vulnerability is a fundamental design flaw in the DNS protocol. In addition, Dan Kaminsky, the researcher at security services firm IOActive who found the cache-poisoning problem , plans to detail it at the Black Hat USA 2008 security conference next month.

David Jordan, chief information security officer for the Arlington County government in Virginia, wouldn't specify what measures the county took after learning of the DNS flaw from an alert issued by the US Computer Emergency Readiness Team. But he said that patches deemed to be critical get treated as such by the county's IT staff.

"They go to the front of the queue," Jordan said, adding that the county "significantly" increases its network monitoring until such patches are put in place.

Kaminsky said that virtually every domain name server resolving IP addresses on the Internet is vulnerable to the DNS flaw, which could enable attackers to redirect Web traffic and e-mails to systems they control.

The US-CERT advisory listed more than 80 vendors whose products might be affected. A few have since reported that their software isn't vulnerable to the flaw, but companies such as Red Hat and Sun Microsystems joined Microsoft and Cisco in issuing fixes.

Both Red Hat and Sun distribute the Berkeley Internet Name Domain technology, a widely used DNS implementation developed by Internet Systems Consortium Inc. ISC released patches for several versions of BIND and urged users of older releases to upgrade their systems.

The type of flaw Kaminsky found isn't new; several other security researchers had previously discovered similar cache-poisoning vulnerabilities in the DNS, according to the US-CERT advisory. Attackers can exploit such flaws to determine the numerical identifiers randomly assigned to DNS packets; doing so gives them a chance to inject forged code and spoof DNS traffic.

But the new vulnerability Kaminsky found is so serious because it appears to offer a far more effective means of guessing packet identifiers than any flaws found earlier. "Someone using this technique can poison a caching server in about 10 to 20 minutes," Mockapetris said.

Joao Damas, a senior program manager at ISC, said the patches that vendors are issuing are designed to add more randomness to the process of assigning the identifiers to packets, in order to make it harder to guess the numbers. "Increasing forgery resilience is the way we are trying to do this," Damas said.

The patches are also being crafted to minimize the chances that attackers could reverse-engineer them, Kaminsky said. But he predicted that exploits of the flaw will still be developed.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?