Security researcher Kaminsky pushes DNS patching
Dan Kaminsky, who for years was ambivalent about securing DNS, has become an ardent supporter of DNS Security Extensions.
Speaking at the Black Hat DC 2009 conference Thursday, the prominent security researcher told the audience that the lack of DNS security not only makes the Internet vulnerable, but is also crippling the scalability of important security technologies.
"DNS is pretty much our only way to scale systems across organizational boundaries, and because it is insecure it's infecting everything else that uses" DNS, the fundamental Internet protocol that provides an IP address for a given domain name, said Kaminsky, director of penetration testing at IOActive. "The only group that has actually avoided DNS because it's insecure are security technologies, and therefore those technologies aren't scaling." Kaminsky began promoting DNSSEC last summer, following his discovery of a significant DNS flaw -- known as the Kaminsky Bug -- where cache poisoning attacks allow a hacker to redirect traffic from a legitimate Web site to a fake one without users realizing it. (See how cache poisoning attacks work.) DNSSEC attempts to prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.
Despite the fact that key operating system vendors -- including Sun, Cisco and Microsoft -- released patches to temporarily fix the flaw, Kaminsky said DNS security has not been widely adopted.
The U.S. government, for example, missed its January deadline for rolling out DNSSEC on the .gov top-level domain, and is aiming to complete the task by the end of February and to patch all subdomains by December.
One roadblock to DNSSEC adoption is that it isn't easy to implement, Kaminsky admits, and calls for coordination by many parties. DNSSEC requires domain name registrars, domain name registries, ISPs and users to upgrade their software.
Still, Kaminsky says DNSSEC offers the most feasible solution to a serious threat.
"We need to put out the immediate fire," he said. "We should stop arguing whether DNS should be used for security and [just] use it for security because it scales."
At the conference, Kaminsky stressed the importance of securing not only DNS servers on the Internet, but those behind firewalls as well. This is because Web applications such as e-mail and browsers can be manipulated to perform DNS lookups, and therefore are vulnerable to penetration.
"There should be no important servers that are vulnerable," he said.
» posted by ITworld staff
Network World
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
kaminsky
Powered by Twitter
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
