DNS hole doesn't go unnoticed

Inventor of DNS architecture says the time to act is now.

A software patch released by Microsoft to plug a hole in the Domain Name System protocol was just one of nine security fixes the company issued last week. And like the others, the DNS patch got only an "important" severity rating, one step below Microsoft's top rating of "critical."

But that belies the amount of attention that the DNS vulnerability is attracting. The discovery of the cache-poisoning flaw earlier this year prompted a rare synchronized patching effort involving Microsoft, Cisco Systems and other vendors. And the disclosure of the vulnerability last week was accompanied by a chorus of calls for IT managers to patch or upgrade their DNS servers -- pronto.

For instance, Paul Mockapetris, who invented the DNS architecture for directing traffic on the Internet, said the time to act is now, before exploits of the flaw become widely available. "The clock is ticking," said Mockapetris, who is chairman and chief scientist at Nominum Inc. -- a name server vendor that was among the companies issuing fixes for the flaw.

The urgency is being fueled by the fact that the vulnerability is a fundamental design flaw in the DNS protocol. In addition, Dan Kaminsky, the researcher at security services firm IOActive who found the cache-poisoning problem , plans to detail it at the Black Hat USA 2008 security conference next month.

David Jordan, chief information security officer for the Arlington County government in Virginia, wouldn't specify what measures the county took after learning of the DNS flaw from an alert issued by the US Computer Emergency Readiness Team. But he said that patches deemed to be critical get treated as such by the county's IT staff.

"They go to the front of the queue," Jordan said, adding that the county "significantly" increases its network monitoring until such patches are put in place.

Kaminsky said that virtually every domain name server resolving IP addresses on the Internet is vulnerable to the DNS flaw, which could enable attackers to redirect Web traffic and e-mails to systems they control.

The US-CERT advisory listed more than 80 vendors whose products might be affected. A few have since reported that their software isn't vulnerable to the flaw, but companies such as Red Hat and Sun Microsystems joined Microsoft and Cisco in issuing fixes.

Both Red Hat and Sun distribute the Berkeley Internet Name Domain technology, a widely used DNS implementation developed by Internet Systems Consortium Inc. ISC released patches for several versions of BIND and urged users of older releases to upgrade their systems.

The type of flaw Kaminsky found isn't new; several other security researchers had previously discovered similar cache-poisoning vulnerabilities in the DNS, according to the US-CERT advisory. Attackers can exploit such flaws to determine the numerical identifiers randomly assigned to DNS packets; doing so gives them a chance to inject forged code and spoof DNS traffic.

But the new vulnerability Kaminsky found is so serious because it appears to offer a far more effective means of guessing packet identifiers than any flaws found earlier. "Someone using this technique can poison a caching server in about 10 to 20 minutes," Mockapetris said.

Joao Damas, a senior program manager at ISC, said the patches that vendors are issuing are designed to add more randomness to the process of assigning the identifiers to packets, in order to make it harder to guess the numbers. "Increasing forgery resilience is the way we are trying to do this," Damas said.

The patches are also being crafted to minimize the chances that attackers could reverse-engineer them, Kaminsky said. But he predicted that exploits of the flaw will still be developed.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Show Comments

Brand Post

Bitdefender 2019

Taking cybersecurity to the highest level and order now for a special discount on the world’s most awarded and trusted cybersecurity. Be aware without a care!

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?