Security researcher Kaminsky pushes DNS patching
Dan Kaminsky, who for years was ambivalent about securing DNS, has become an ardent supporter of DNS Security Extensions.
Speaking at the Black Hat DC 2009 conference Thursday, the prominent security researcher told the audience that the lack of DNS security not only makes the Internet vulnerable, but is also crippling the scalability of important security technologies.
"DNS is pretty much our only way to scale systems across organizational boundaries, and because it is insecure it's infecting everything else that uses" DNS, the fundamental Internet protocol that provides an IP address for a given domain name, said Kaminsky, director of penetration testing at IOActive. "The only group that has actually avoided DNS because it's insecure are security technologies, and therefore those technologies aren't scaling." Kaminsky began promoting DNSSEC last summer, following his discovery of a significant DNS flaw -- known as the Kaminsky Bug -- where cache poisoning attacks allow a hacker to redirect traffic from a legitimate Web site to a fake one without users realizing it. (See how cache poisoning attacks work.) DNSSEC attempts to prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.
Despite the fact that key operating system vendors -- including Sun, Cisco and Microsoft -- released patches to temporarily fix the flaw, Kaminsky said DNS security has not been widely adopted.
The U.S. government, for example, missed its January deadline for rolling out DNSSEC on the .gov top-level domain, and is aiming to complete the task by the end of February and to patch all subdomains by December.
One roadblock to DNSSEC adoption is that it isn't easy to implement, Kaminsky admits, and calls for coordination by many parties. DNSSEC requires domain name registrars, domain name registries, ISPs and users to upgrade their software.
Still, Kaminsky says DNSSEC offers the most feasible solution to a serious threat.
"We need to put out the immediate fire," he said. "We should stop arguing whether DNS should be used for security and [just] use it for security because it scales."
At the conference, Kaminsky stressed the importance of securing not only DNS servers on the Internet, but those behind firewalls as well. This is because Web applications such as e-mail and browsers can be manipulated to perform DNS lookups, and therefore are vulnerable to penetration.
"There should be no important servers that are vulnerable," he said.
» posted by ITworld staff
Network World
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
kaminsky
Powered by Twitter
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
