Kaminsky flaw prompts DNS server overhaul

The server now logs where attacks originate

One of the companies most at risk from the notorious DNS cache poisoning vulnerability has overhauled security in the latest release of its DNS server software in what looks like a major code rethink.

Nominum, which supplies a decent chunk of the global market for such servers, said it has just finished rolling out a major security upgrade to its server platform, Vantio caching DNS server, and introduced a range of new security "layers" beyond the basic Source Port Randomization (UDP SPR) fix suggested at the time the flaw was announced in early July by IOActive researcher, Dan Kaminsky.

The latest release of Vantio now features a swathe of security features that weren't there before, including the ability to block poisoning attacks against valuable domains, enhanced query response spoofing defenses which switches DNS resolution to a secure back-channel if attacked, and a new Query Response Screening system to weed out DNS poisoning attempts using fake requests.

The server also now logs where attacks originate - in contrast to the Internet generally, it is very hard to hide from DNS servers - and alerts an ISP or network if attacks have been detected.

Importantly, Nominum has also come up with a fix for the potentially major issue of using Network Address Translation (NAT) in front of an otherwise patched DNS server. Firewall and load balancing NAT assigns UDP ports sequentially, which would have rendered the port randomization defense useless.

Given that the official defense against the cache poisoning flaw has been UDP source port randomization, the Nominum overhaul comes in the nick of time. This was always seen as insufficient to keep out hackers indefinitely although it had been implemented as an interim step.

The pessimism over SPR turned out to be accurate, with Russian researcher Evgeniy Polyakov managing a proof-of-concept cache pollution hack in 10-hours using equipment that bombarded a full-patched BIND DNS server with fake DNS requests.

Just as the Kaminsky flaw has turned out to be no ordinary security scare, Nominum is no run-of-the-mill seller of Internet software. Chaired since 2001 by noted DNS luminary Paul Mockapetris, the company is responsible for resolving the domain requests of an estimated 120 million Internet subscribers to the real IP numbers that underlie them.

Along with a number of other large software outfits, Nominum was also key player in efforts by the industry and Kaminsky to resolve the flaw during the months it was kept under wraps. The vulnerability was eventually made public by Kaminsky in July with a follow-up presentation by him at Black Hat in early August in which he gave the company a prominent name check.

Despite being a relatively obscure part of the Internet's inner workings, DNS server issues have in fact arrived in a steady stream in recent years. These have been restricted in the main to problems in products from individual vendors, however. Finding a serious flaw that affects the whole Internet DNS system will go down as Kaminsky's achievement.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

John E. Dunn

Techworld
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?