Tom Tovar | DNS requires a layered approach
- By William Jackson
- Jan 12, 2009
The Domain Name System (DNS) that underlies Internet routing is getting a lot of attention these days, from hackers, network administrators and security experts. A stopgap patch was issued this summer after a critical vulnerability in the DNS protocols was discovered by researcher Dan Kaminsky. The government is moving this year to implement digital signing of DNS queries and replies in the .gov top-level domain with DNS Security Extensions (DNSsec).
However, patches and DNSsec are not enough to secure this critical infrastructure, said Tom Tovar, chief executive officer of Nominum, a supplier of network naming and address tools. Layered defenses need to be built into the DNS software of critical servers, Tovar said. He spoke recently with GCN about the challenges of DNS security.
GCN: How at risk is the Domain Name System?
TOM TOVAR: There have been threats to the DNS for some time. There are a variety of attack vectors that leverage the DNS. We have always taken these threats seriously, and last year, this Kaminsky vulnerability hit the DNS world like a storm. The good news for Nominum was that we had a number of protections already in our software. The bad news is that the industry was caught off guard. I would say today that the DNS is more at risk than it has ever been. With the documented exploits of the Kaminsky vulnerability that have occurred, this is widely perceived.
The kinds of things that could happen with a successful Kaminsky type of attack are pretty severe, with applications being disrupted, traffic being redirected, networks being brought down, identities being stolen — a barrage of things that could go wrong.
GCN: How serious is the vulnerability discovered by Kaminsky compared with other known vulnerabilities? TOVAR: What makes it insidious is the speed at which it can be successfully launched and the ability to poison not just a particular domain, but a set of secondary and related domains as well. So the punch is far greater than a simple cache-poisoning attack. [Kaminsky] found a way, using the protocol against itself, to propagate and exploit faster than anyone else had done in the past and eliminate many of the previous probabilistic hurdles of attack vectors. He was able to poison [the Berkeley Internet Name Domain server (BIND )] in under 10 minutes.
GCN: The fix that was issued for this vulnerability has been acknowledged as a stopgap. What are its strengths and weaknesses?
TOVAR: Even to say that it is pretty good is a scary proposition. There was a Russian security researcher who published an article within 24 hours of the release of the [User Datagram Protocol] source port randomization patch that was able to crack the fix in under 10 hours using two laptops. The strength of the patch is that it adds a probabilistic hurdle to an attack. The downside is it is a probabilistic defense and therefore a patient hacker with two laptops or a determined hacker with a data center can eventually overcome that defense. The danger of referring to it as a fix is that it allows administrators and owners of major networks to have a false sense of security.
GCN: Are there other problems in DNS that are as serious as this vulnerability?
TOVAR: I think there are a lot of others that are just as bad or worse. One of the challenges is that there is no notification mechanism in most DNS solutions, no gauntlet that the attacker has to run so that the administrator can see that some malicious code or individual is trying to access the server in an inappropriate way. If UDP source port randomization were overcome and the network owner or operator were running an open-source server, there would be no way to know that was happening. This has been a wake-up call for any network that is relying on open source for this function.
GCN: Is open-source DNS software inherently less secure than proprietary software?
TOVAR: The challenge of an open-source solution is that you cannot put anything other than a probabilistic defense mechanism in open source. If you put deterministic protections in, you are going to make them widely available because it is open source, so you essentially give the hacker a road map on how to obviate or avoid those layers of protection. The whole point of open source is that it is open and its code is widely available. It offers the promise of ease of deployment, but it is likely having a complex lock system on your house and then handing out the keys.
GCN: BIND, which is the most widely used DNS server, is open source. How safe are the latest versions of it? TOVAR: For a lot of environments, it is perfectly suitable. But in any mission-critical network in the government sector, any financial institution, anything that has the specter of identity theft or impact on national security, I think using open source is just folly.
GCN: Why is BIND so widely used if it should not be used in critical areas?
TOVAR: The Internet is still relatively young. We don’t think poorly of open source. In fact, many of our engineers wrote BIND versions 8 and 9, so we do believe there is a role for that software. But the proliferation of DNS has occurred in the background as the Internet has exploded. DNS commonly is thought of as just a translation protocol for browsing behavior, and that belies the complexity of the networks that DNS supports. Everything from e-mail to [voice over IP] to anything IP hits the DNS multiple times. Security applications access it, anti-spam applications access it, firewalls access it. When administrators are building out networks it is very easy to think of DNS as a background technology that you just throw in and then go on to think about the applications.
GCN: Would DNSsec solve DNS security risks?
TOVAR: Our products are DNSsec-enabled and have been for years. It is widely recognized that DNSsec is where the industry needs to move and that being able to digitally sign DNS traffic is needed in the very near future. But even the most aggressive estimates would say it is still going to take three to five years at best to get DNSsec enabled and deployed widely enough that it will actually matter.
GCN: Why is DNSsec not more widely deployed?
TOVAR: Not all DNS implementations support it today, and getting vendors to upgrade their systems is critical. Just signing one side of the equation, the authoritative side, is a good step, but it’s only half the battle. You need to have both sides of the DNS traffic signed. And there is no centralized authority for .com. It is a widely distributed database and you have to have every DNS server speaking the same version of DNSsec. So the obstacle to DNSsec deployment is fairly huge. It is going to take government intervention and wide-scale industry acknowledgment that this is needed.
GCN: Will the implementation of DNSsec in the .gov top-level domain be a significant help?
TOVAR: We commend the government for its effort. Any government mandate to deploy DNSsec will provide momentum. Anything that contributes to a world in which DNS traffic is signed is for the good. The challenge is the computational overhead and the investments in the infrastructure that need to happen to get to a full DNSsec employment.