GCN INTERVIEW

Tom Tovar | DNS requires a layered approach

The Domain Name System (DNS) that underlies Internet routing is getting a lot of attention these days, from hackers, network administrators and security experts. A stopgap patch was issued this summer after a critical vulnerability in the DNS protocols was discovered by researcher Dan Kaminsky. The government is moving this year to implement digital signing of DNS queries and replies in the .gov top-level domain with DNS Security Extensions (DNSsec).

However, patches and DNSsec are not enough to secure this critical infrastructure, said Tom Tovar, chief executive officer of Nominum, a supplier of network naming and address tools. Layered defenses need to be built into the DNS software of critical servers, Tovar said. He spoke recently with GCN about the challenges of DNS security.

GCN: How at risk is the Domain Name System?

TOM TOVAR: There have been threats to the DNS for some time. There are a variety of attack vectors that leverage the DNS. We have always taken these threats seriously, and last year, this Kaminsky vulnerability hit the DNS world like a storm. The good news for Nominum was that we had a number of protections already in our software. The bad news is that the industry was caught off guard. I would say today that the DNS is more at risk than it has ever been. With the documented exploits of the Kaminsky vulnerability that have occurred, this is widely perceived.

The kinds of things that could happen with a successful Kaminsky type of attack are pretty severe, with applications being disrupted, traffic being redirected, networks being brought down, identities being stolen — a barrage of things that could go wrong.

GCN: How serious is the vulnerability discovered by Kaminsky compared with other known vulnerabilities? TOVAR: What makes it insidious is the speed at which it can be successfully launched and the ability to poison not just a particular domain, but a set of secondary and related domains as well. So the punch is far greater than a simple cache-poisoning attack. [Kaminsky] found a way, using the protocol against itself, to propagate and exploit faster than anyone else had done in the past and eliminate many of the previous probabilistic hurdles of attack vectors. He was able to poison [the Berkeley Internet Name Domain server (BIND )] in under 10 minutes.

GCN: The fix that was issued for this vulnerability has been acknowledged as a stopgap. What are its strengths and weaknesses?

TOVAR: Even to say that it is pretty good is a scary proposition. There was a Russian security researcher who published an article within 24 hours of the release of the [User Datagram Protocol] source port randomization patch that was able to crack the fix in under 10 hours using two laptops. The strength of the patch is that it adds a probabilistic hurdle to an attack. The downside is it is a probabilistic defense and therefore a patient hacker with two laptops or a determined hacker with a data center can eventually overcome that defense. The danger of referring to it as a fix is that it allows administrators and owners of major networks to have a false sense of security.

GCN: Are there other problems in DNS that are as serious as this vulnerability?

TOVAR: I think there are a lot of others that are just as bad or worse. One of the challenges is that there is no notification mechanism in most DNS solutions, no gauntlet that the attacker has to run so that the administrator can see that some malicious code or individual is trying to access the server in an inappropriate way. If UDP source port randomization were overcome and the network owner or operator were running an open-source server, there would be no way to know that was happening. This has been a wake-up call for any network that is relying on open source for this function.

GCN: Is open-source DNS software inherently less secure than proprietary software?

TOVAR: The challenge of an open-source solution is that you cannot put anything other than a probabilistic defense mechanism in open source. If you put deterministic protections in, you are going to make them widely available because it is open source, so you essentially give the hacker a road map on how to obviate or avoid those layers of protection. The whole point of open source is that it is open and its code is widely available. It offers the promise of ease of deployment, but it is likely having a complex lock system on your house and then handing out the keys.

GCN: BIND, which is the most widely used DNS server, is open source. How safe are the latest versions of it? TOVAR: For a lot of environments, it is perfectly suitable. But in any mission-critical network in the government sector, any financial institution, anything that has the specter of identity theft or impact on national security, I think using open source is just folly.

GCN: Why is BIND so widely used if it should not be used in critical areas?

TOVAR: The Internet is still relatively young. We don’t think poorly of open source. In fact, many of our engineers wrote BIND versions 8 and 9, so we do believe there is a role for that software. But the proliferation of DNS has occurred in the background as the Internet has exploded. DNS commonly is thought of as just a translation protocol for browsing behavior, and that belies the complexity of the networks that DNS supports. Everything from e-mail to [voice over IP] to anything IP hits the DNS multiple times. Security applications access it, anti-spam applications access it, firewalls access it. When administrators are building out networks it is very easy to think of DNS as a background technology that you just throw in and then go on to think about the applications.

GCN: Would DNSsec solve DNS security risks?

TOVAR: Our products are DNSsec-enabled and have been for years. It is widely recognized that DNSsec is where the industry needs to move and that being able to digitally sign DNS traffic is needed in the very near future. But even the most aggressive estimates would say it is still going to take three to five years at best to get DNSsec enabled and deployed widely enough that it will actually matter.

GCN: Why is DNSsec not more widely deployed?

TOVAR: Not all DNS implementations support it today, and getting vendors to upgrade their systems is critical. Just signing one side of the equation, the authoritative side, is a good step, but it’s only half the battle. You need to have both sides of the DNS traffic signed. And there is no centralized authority for .com. It is a widely distributed database and you have to have every DNS server speaking the same version of DNSsec. So the obstacle to DNSsec deployment is fairly huge. It is going to take government intervention and wide-scale industry acknowledgment that this is needed.

GCN: Will the implementation of DNSsec in the .gov top-level domain be a significant help?

TOVAR: We commend the government for its effort. Any government mandate to deploy DNSsec will provide momentum. Anything that contributes to a world in which DNS traffic is signed is for the good. The challenge is the computational overhead and the investments in the infrastructure that need to happen to get to a full DNSsec employment.

Reader Comments

Fri, Jan 16, 2009

I'm curious why the root nameservers, clearly the *most* critical pieces of the DNS infrastructure, run BIND and not Nominum ANS?

Wed, Jan 14, 2009 Antoin NL

This article is actually an advertisement, and does not contain any knowledge nor vision. It is clear that the speaker does not understand the DNS playing field and technical security policy, and is only interviewed to promote his own product. The most critical DNS infrastructure (The DNS root servers and the majority of TLD servers) all run open source software, and it is always wise for redundancy to have multiple technologies, brands, versions and operational redundancy implemented when dealing with critical infrastructure because nobody, including the most knowledgeable person, never makes mistakes. It would be foolish to ignore that and say "if you don't know about it because we keep it a secret, it does not exist" As a technical policy advisor for a TLD, I strongly oppose to security by obscurity,and favor open source software to be implemented as it has proven to not only to improve stability of software, but also to the discovery of errors in protocols that closed software has never contributed to.

Wed, Jan 14, 2009

"I think using open source is just folly." Really Mr. Tovar? And what do you base that on? Years of experience as a corporate attorney? Divine Influence? What? Oh yeah, you sell a closed-source product that competes against an open source product. Never mind

Wed, Jan 14, 2009 R A Lichtensteiger Massachusetts

Mr. Tovar said "But in any mission-critical network [...], I think using open source is just folly."

This is a most foolish statement. NOT using open source and depending on a commercial, closed source vendor is where the folly lies.

Open source, particularly in the DNS community, has shown time and again to be more robust and more responsive to security issues (my servers are already patched for the SSL DSA signature verification bug -- are Mr. Tovar's?).

R A Lichtensteiger

Wed, Jan 14, 2009 RL Vaughn

I find the comment about the folly of open source ironic given Nominum's server operates on Redhat, SuSe, FreeBSD and Solaris. I doubt Nominum considers using these OSes, all of which have a strong Open Source commitment, to be folly. In fact, these operating systems owe their security reputations to contributions to the open source community.








Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above