DNS remains vulnerable one year after Kaminsky bug

Cache poisoning attacks rise amid scramble to patch DNS servers, deploy security add-on

A year has passed since security researcher Dan Kaminsky disclosed a serious flaw in the DNS that makes it possible for hackers to launch cache poisoning attacks, where traffic is redirected from a legitimate Web site to a fake one without the Web site operator or end user knowing.

Kaminsky's disclosure was a wake-up call to network vendors and ISPs about the inherent weaknesses in DNS, the foundational Internet standard that matches IP addresses with domain names.

The hype around Kaminsky's discovery also gave a much-needed boost to DNS Security Extensions (DNSSEC), an add-on security mechanism that had been languishing due to a lack of demand by network managers.

Kaminsky "helped raise awareness of the DNS vulnerability but also of Internet security in general and how dependent we are on protocols that don't have security built in," says Scott Rose, a computer scientist with the National Institutes of Standards and Technology and an expert in DNS security.

"There was discussion always in the protocol community about the vulnerability of DNS and the need for DNSSEC deployment, but the issue did get a big boost from the outside" thanks to Kaminsky, Rose said. "He raised the issue of what can happen when you attack the DNS. It's not just about redirecting browsers but subverting e-mail. All the other attacks that Kaminsky outlined brought the issue to the forefront."

Experts say more has been done to bolster the security of the DNS in the past 12 months than in the previous decade, thanks to Kaminsky's discovery. Yet, the DNS remains as vulnerable as ever to cache poisoning attacks.

The Kaminsky bug "was a big deal for the Internet community at large," says Joe Gersch, Chief Operating Officer at Secure64, which sells DNS server software and automated tools for migrating to DNSSEC. Gersch was at the Black Hat conference last summer when Kaminsky detailed the DNS cache poisoning threat in front of a standing-room-only crowd.

"It took 20 minutes for Kaminsky to explain how it works, and then he went through case after case of how it could be exploited for another hour and a half," Gersch says. "He showed how once you own the DNS, you own everything. And he showed how insidious the flaw is so that you don't even know you've been compromised. Jaws were dropping."

Gersch says Kaminsky did more than raise awareness of the inherent lack of security in DNS. "It was a pretty big call to action, first for the patch and then for ... DNSSEC deployment," Gersch says.

Since then, most -- but not all -- network engineers have patched their DNS servers against the Kaminsky bug. Patching is what Kaminsky recommends as a short-term fix to this vulnerability.

The long-term fix for Kaminsky-style attacks is DNSSEC, which prevents cache poisoning attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.

The problem is that DNSSEC works best when it is fully deployed across the Internet: from the root zone at the top of the DNS heirarchy, to individual top-level domains such as .com and .net, down to individual domain names. Until that happens, Web sites remain vulnerable to Kaminsky-style attacks.

The Kaminsky flaw is "the prime driver for DNSSEC," says Rodney Joffe, senior vice president and senior technologist with NeuStar, which sells managed DNS services and an interim fix to cache poisoning attacks called Cache Defender. The problem, Joffe says, is that "we're still a year or more away from DNSSEC deployment."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags dns flawKaminsky

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Carolyn Duffy Marsan

Network World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Cate Bacon

Aruba Instant On AP11D

The strength of the Aruba Instant On AP11D is that the design and feature set support the modern, flexible, and mobile way of working.

Dr Prabigya Shiwakoti

Aruba Instant On AP11D

Aruba backs the AP11D up with a two-year warranty and 24/7 phone support.

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?