Patching the Domain Name System
Latest DNS flaw underscores need for secure Internet naming
- By William Jackson
- Jul 21, 2008
VENDORS HAVE scrambled to produce patches for a potentially severe design flaw in the Internet's Domain Name System, and the race is on to get patches in place before exploits appear.
'We have bought you as much time as possible,' said Dan Kaminsky, director of penetration testing at IOActive, which discovered the bug about six months ago.
Details of the vulnerability will not be released until the Black Hat Briefings in August, a month after the July 8 announcement
. Kaminsky said reverse engineering the patches to find the vulnerability would be difficult but not impossible.
'The advantage won't last forever,' he said. 'We hope it will last a month.'
Exploitation of the flaw could allow hackers to misdirect Internet traffic.
'You would still have the Internet, but it wouldn't be the Internet you expect,' Kaminsky said.
It could create a windfall for phishers, said Alan Paller, director of research at the SANS Institute.
'Victims would believe they are visiting their banks, because they typed in the bank's URL, and give away their account numbers and passwords,' Paller said. 'The software fixes are not solutions until people actually install them.'
Even that is not the ultimate solution, said Cricket Liu, vice president of infrastructure at Infoblox, a core network appliance company. He said the root of the problem lies in inadequate message ID randomness, a problem that has been known for years.
'What we have done for now is add some additional bits of entropy,' Liu said. 'But the real fix is going to be something along the lines' of DNS Security Extensions, a system used to authenticate DNS messages.
DNS is a hierarchical system that translates URLs and e-mail addresses, for example, into IP addresses. There are known exploits for poisoning the system and misdirecting traffic, but because the latest vulnerability is in DNS' basic design, it appears in nearly all implementations of the protocols.
A group of 16 security researchers met in Redmond, Wash., in March to coordinate a response.
'We agreed that the only way we could do this was by a coordinated release across all platforms,' Kaminsky said at a news conference announcing the release. Vendors agreed to release patches in July and wait a month before releasing details about the vulnerability.
Kaminsky said the vulnerability involves a weakness in the transaction ID used in DNS queries. Transaction IDs are chosen randomly from 65,000 values.
'For undisclosed reasons, 65,000 is just not enough,' Kaminsky said. 'We needed more randomization.'
Patching will take some time because of the difficulty of locating and updating all name servers in enterprises. In some cases, patching won't be enough. Firewalls limiting the number of ports that can be used by a name server might need to be reconfigured to accommodate increased randomization.
Many servers are running older versions of the Berkeley Internet Name Domain server. The latest version is BIND 9 ' BIND 8 is no longer supported, and servers running it will need to be updated to Version 9.
Liu said fundamental changes to name resolution for the Internet are inevitable.
'If we had it to do over again, we would have a much larger message ID,' he said.
'But DNS is so well established there is no way to change it. Eventually we will have to move to a different technology. That is going to be a big job.'