DNS hole doesn't go unnoticed

Inventor of DNS architecture says the time to act is now.

A software patch released by Microsoft to plug a hole in the Domain Name System protocol was just one of nine security fixes the company issued last week. And like the others, the DNS patch got only an "important" severity rating, one step below Microsoft's top rating of "critical."

But that belies the amount of attention that the DNS vulnerability is attracting. The discovery of the cache-poisoning flaw earlier this year prompted a rare synchronized patching effort involving Microsoft, Cisco Systems and other vendors. And the disclosure of the vulnerability last week was accompanied by a chorus of calls for IT managers to patch or upgrade their DNS servers -- pronto.

For instance, Paul Mockapetris, who invented the DNS architecture for directing traffic on the Internet, said the time to act is now, before exploits of the flaw become widely available. "The clock is ticking," said Mockapetris, who is chairman and chief scientist at Nominum Inc. -- a name server vendor that was among the companies issuing fixes for the flaw.

The urgency is being fueled by the fact that the vulnerability is a fundamental design flaw in the DNS protocol. In addition, Dan Kaminsky, the researcher at security services firm IOActive who found the cache-poisoning problem , plans to detail it at the Black Hat USA 2008 security conference next month.

David Jordan, chief information security officer for the Arlington County government in Virginia, wouldn't specify what measures the county took after learning of the DNS flaw from an alert issued by the US Computer Emergency Readiness Team. But he said that patches deemed to be critical get treated as such by the county's IT staff.

"They go to the front of the queue," Jordan said, adding that the county "significantly" increases its network monitoring until such patches are put in place.

Kaminsky said that virtually every domain name server resolving IP addresses on the Internet is vulnerable to the DNS flaw, which could enable attackers to redirect Web traffic and e-mails to systems they control.

The US-CERT advisory listed more than 80 vendors whose products might be affected. A few have since reported that their software isn't vulnerable to the flaw, but companies such as Red Hat and Sun Microsystems joined Microsoft and Cisco in issuing fixes.

Both Red Hat and Sun distribute the Berkeley Internet Name Domain technology, a widely used DNS implementation developed by Internet Systems Consortium Inc. ISC released patches for several versions of BIND and urged users of older releases to upgrade their systems.

The type of flaw Kaminsky found isn't new; several other security researchers had previously discovered similar cache-poisoning vulnerabilities in the DNS, according to the US-CERT advisory. Attackers can exploit such flaws to determine the numerical identifiers randomly assigned to DNS packets; doing so gives them a chance to inject forged code and spoof DNS traffic.

But the new vulnerability Kaminsky found is so serious because it appears to offer a far more effective means of guessing packet identifiers than any flaws found earlier. "Someone using this technique can poison a caching server in about 10 to 20 minutes," Mockapetris said.

Joao Damas, a senior program manager at ISC, said the patches that vendors are issuing are designed to add more randomness to the process of assigning the identifiers to packets, in order to make it harder to guess the numbers. "Increasing forgery resilience is the way we are trying to do this," Damas said.

The patches are also being crafted to minimize the chances that attackers could reverse-engineer them, Kaminsky said. But he predicted that exploits of the flaw will still be developed.

Join the newsletter!

Error: Please check your email address.

More about ACTCERT AustraliaCiscoCiscoDomain TechnologyMicrosoftPronto SoftwareRed HatResilienceSun Microsystems

Show Comments
[]