DNS flaw discoverer says more permanent fixes will be needed

IT managers should expect more security fixes over the coming months.

The security researcher who recently discovered a heretofore unknown flaw in the Internet's core Domain Name System (DNS) protocol warned IT managers on Thursday to expect more security fixes aimed at mitigating the issue over the coming months.

At a press conference this morning, Dan Kaminsky, a researcher at security firm IOActive Inc., said that the patches recently issued by multiple vendors in response to his bug discovery are at best a stopgap measure aimed at preventing immediate attacks on the DNS infrastructure.

But Kaminsky plans to disclose details of the bug at the upcoming Black Hat security conference, and with more researchers likely to try and exploit it, there is going to be a need for a more permanent fix.

"There is going to be another round of patches coming online as we as a global community figure out how to address this," Kaminsky said. The current set of security updates that were released a few days ago were designed to make it harder for the bug to be exploited, while also ensuring that would-be attackers wouldn't be able to discover what the flaw is by reverse-engineering the patches.

The stopgap patch was appropriate in its time. "We needed to find a way to stop the bleeding while we figured out what to do here. This fix gets us out of the emergency zone," Kaminsky said, speaking with Computerworld after this morning's press conference. "I think there will be discussions after the bug is disclosed for more comprehensive mechanisms for addressing this class of flaw." He added that he was however unable to discuss what exactly the next generation patches would do, until details of the bug were publicly disclosed.

He noted that the patches that have been released appear to be working, since no one has exploited the vulnerability yet despite the unprecedented attention focused on it. However, he said, "there are people who have gotten really, really close," who have been asked not to disclose their research publicly until he reveals the full details at Black Hat.

One vuln to rule them all

News of the DNS protocol flaw, which was discovered earlier this year by Kaminsky, was made public about 10 days ago in a rare synchronized security update from numerous organization including Microsoft, Cisco Systems, and the US Computer Emergency Readiness Team (US-CERT). The flaw has received widespread attention both because of its apparent seriousness and the fact that it affects virtually every single domain name server that resolves IP addresses on the Internet.

DNS servers are responsible for routing all Internet traffic to their correct destinations. The so-called cache poisoning vulnerability that Kaminsky discovered could allow attackers to redirect Web traffic and e-mails to systems under their control, according security researches. The flaw exists at the DNS protocol level and affects numerous products from multiple vendors.

According to Kaminsky, a weakness exists in a transaction identification process that the DNS protocol uses to determine whether responses to DNS queries are legitimate or not. DNS messages include what are supposed to be random identification numbers, but the problem, according to Kaminsky, is that only about 65,000 different values are currently being used as identifiers. And in reality, the process of assigning the identifiers to packets isn't especially random and can be guessed, he said.

An advisory issued by the US-CERT said the flaw could make domain name servers vulnerable to attacks in which forged data is introduced into the systems. Such attacks aren't new in concept, the advisory said, noting that several security researchers in the past have described cache-poisoning vulnerabilities similar to the one discovered by Kaminsky. Such vulnerabilities basically give attackers a way to predictably spoof DNS traffic along with "extremely effective exploitation techniques," the US-CERT advisory said.

The patches issued by the various vendors employ a so-called "port randomization" technique that is designed to make it much harder by many magnitudes for anyone to guess at DNS message IDs so as to be able to spoof the messages.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?