Posts Tagged DNSSEC
Making DNS More Secure — One ISP at a Time
Last July I wrote about a serious security flaw in the domain name system (DNS). It was discovered by researcher Dan Kaminsky and got a lot of coverage: It’s Tuesday — Must be Time to Fix DNS
There was two parts to the DNS vulnerability that quickly became known as the Kaminsky flaw. One was related to poor port number randomization, making it easier for criminal elements to hijack DNS queries and redirect them to fraudulent sites. That problem could be addressed with a software patch, and most of the coverage last year focused on the concerted efforts made by companies like Microsoft, Sun, Cisco and many others to distribute the patches.
But there was another part to the flaw that could not be patched, since it was fundamental to the DNS protocol itself. Internet consumers are still at risk of being redirected through something called cache poisoning, which fools a DNS server into thinking a fraudulent site is authentic. Until recently there was little public acknowledgement of this happening, because most companies are loathe to discuss security breaches.
But in April there was a major breach of a Brazilian IPS Virtua and one of its big customers, the Brazilian back Bradesco. Here’s coverage of the incident from the The Register.
Last week my client NeuStar announced Cache Defender, a way for ISPs to protect their customers from this fundamental Internet vulnerability. ISPs can deploy this solution to create a secure DNS link between their customers and the domains NeuStar is authoritative for, including some of the largest Internet brands such as Amazon, Advertising.com, Oracle and Zappos. Cache Defender is designed to be an interim solution until DNSSEC, a more secure version of DNS can be implemented by the global Internet community.
Here’s some coverage of the announcement:
I’ve worked on DNS issues previously in my career, so this news was very exciting and fun to promote. If you’d like to know more, check out a discussion going on over at CircleID, a top online forum for Internet infrastructure discussions. Not surprisingly, some negative comments about Cache Defender are coming from NeuStar competitors. But the company already has one announced ISP deployment, with more in the works.
DNSSEC is no doubt the definitive answer, but probably won’t be widely deployed until 2011 for a number of technical and political reasons. Until then, Cache Defender is an excellent way for ISPs to show they are doing all they can to protect their customers.
Add comment June 22, 2009
Kaminsky “Officially” Reveals DNS Flaw at Black Hat
Dan Kaminsky has had quite a month. Early in July, it was announced that months earlier he had discovered a major security problem with DNS, the addressing system of the Internet. But he didn’t make the news public. Instead he worked for months behind the scenes with major technology providers so patches could be programmed and made available. http://cparente.wordpress.com/2008/07/09/its-tuesday-must-be-time-to-fix-dns/
He wanted to give companies a full month to implement steps to protect their recursive nameservers. Then he promised to reveal all during an address today at the Black Hat security conference in Las Vegas. http://www.blackhat.com/html/bh-usa-08/bh-usa-08-speakers.html#Kaminsky
But it didn’t quite work out that way. Details of the vulnerability leaked out on July 22nd, stealing some of Dan’s thunder. But from all reports the presentation was jam packed, and Dan was shown the appreciation he deserved as he detailed the seriousness of the problem. Joe Menn from LA Times:
He called the problem the worst discovered since 1997. The standing-room only crowd gave Kaminsky two ovations, in part for the technical significance of the find and in part for his handling of the crisis. Microsoft, Google, Yahoo, Facebook, MySpace, EBay and many Internet service providers have secured their machines.
“We got lucky with this bug,” Kaminsky said in his talk, saying other profound flaws are lurking that will be just as hard to resolve. “We have to have disaster-recovery planning. The 90-days-to-fix-it thing isn’t going to fly.” http://latimesblogs.latimes.com/technology/2008/08/internet-securi.html#comments
Interestingly what few of the articles on this problem talk about is, what now? The patches greatly reduce the danger that this flaw could be used for DNS cache poisoning attacks, but they don’t prevent it entirely. Many are touting DNSSEC as the ultimate answer, but that is years away in a best case scenario. Even after the final nameserver is patched against this latest threat, the issue of DNS security will remain critical. Too many things — cloud computing, SaaS, ecommerce, wireless NAC, VOIP — depend on reliable DNS for the status quo to continue. “Patched” isn’t good enough — DNS needs to be fixed.
Add comment August 6, 2008
HP and EDS — Hey, You, Come on to My Cloud
Lots of good reporting lately on the $13.9B purchase of EDS by HP. Many are saying its the clearest sign yet that cloud computing has fully arrived. Others say the purchase is more about buying market share and becoming the world’s #2 IT outsourcing company, behind IBM. Rob Hof of BusinessWeek has a really good roundup post with some different perspectives:
http://www.businessweek.com/the_thread/techbeat/archives/2008/05/is_hp-eds_deal.html
One question interesting to me is whether a giant company like HP/EDS can make the concept of cloud computing more palatable to the federal market. EDS is the 19th largest contractor to the federal government, with $2.4B worth of business in 2006. The combined company would seem well positioned for even more government work. Here’s Government Executive on the deal:
http://govexec.com/dailyfed/0508/051308bb1.htm?rss=getoday
Security isn’t mentioned in any of the above articles. That’s a good reason the government is cautious about outsourcing infrastructure over the cloud. At the foundation of Internet transport is the DNS system, a simple protocol that translates IP addresses into the shorter domain names familiar to us all like amazon.com and yahoo.com. It was not designed originally with security in mind, and needs to be “hardened” as more and more critical applications ride along above it.
Here’s an article yesterday from Government Computer News that makes this point very strongly. What is being described here is mandating that the government implement DNSSEC — Domain Name System Security Extensions — although the article doesn’t use the term. DNSSEC allows the the digital signing of DSN responses for authenticity, in other words ensuring the reply (IP address) is coming from the right server. This prevents spoofed return addresses and helps defend against DNS cache poisoning and Distributed Denial of Service (DDOS) attacks.
Add comment May 15, 2008
