DNS remains vulnerable one year after Kaminsky bug

Cache poisoning attacks rise amid scramble to patch DNS servers, deploy security add-on

A year has passed since security researcher Dan Kaminsky disclosed a serious flaw in the DNS that makes it possible for hackers to launch cache poisoning attacks, where traffic is redirected from a legitimate Web site to a fake one without the Web site operator or end user knowing.

Kaminsky's disclosure was a wake-up call to network vendors and ISPs about the inherent weaknesses in DNS, the foundational Internet standard that matches IP addresses with domain names.

The hype around Kaminsky's discovery also gave a much-needed boost to DNS Security Extensions (DNSSEC), an add-on security mechanism that had been languishing due to a lack of demand by network managers.

Kaminsky "helped raise awareness of the DNS vulnerability but also of Internet security in general and how dependent we are on protocols that don't have security built in," says Scott Rose, a computer scientist with the National Institutes of Standards and Technology and an expert in DNS security.

"There was discussion always in the protocol community about the vulnerability of DNS and the need for DNSSEC deployment, but the issue did get a big boost from the outside" thanks to Kaminsky, Rose said. "He raised the issue of what can happen when you attack the DNS. It's not just about redirecting browsers but subverting e-mail. All the other attacks that Kaminsky outlined brought the issue to the forefront."

Experts say more has been done to bolster the security of the DNS in the past 12 months than in the previous decade, thanks to Kaminsky's discovery. Yet, the DNS remains as vulnerable as ever to cache poisoning attacks.

The Kaminsky bug "was a big deal for the Internet community at large," says Joe Gersch, Chief Operating Officer at Secure64, which sells DNS server software and automated tools for migrating to DNSSEC. Gersch was at the Black Hat conference last summer when Kaminsky detailed the DNS cache poisoning threat in front of a standing-room-only crowd.

"It took 20 minutes for Kaminsky to explain how it works, and then he went through case after case of how it could be exploited for another hour and a half," Gersch says. "He showed how once you own the DNS, you own everything. And he showed how insidious the flaw is so that you don't even know you've been compromised. Jaws were dropping."

Gersch says Kaminsky did more than raise awareness of the inherent lack of security in DNS. "It was a pretty big call to action, first for the patch and then for ... DNSSEC deployment," Gersch says.

Since then, most -- but not all -- network engineers have patched their DNS servers against the Kaminsky bug. Patching is what Kaminsky recommends as a short-term fix to this vulnerability.

The long-term fix for Kaminsky-style attacks is DNSSEC, which prevents cache poisoning attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.

The problem is that DNSSEC works best when it is fully deployed across the Internet: from the root zone at the top of the DNS heirarchy, to individual top-level domains such as .com and .net, down to individual domain names. Until that happens, Web sites remain vulnerable to Kaminsky-style attacks.

The Kaminsky flaw is "the prime driver for DNSSEC," says Rodney Joffe, senior vice president and senior technologist with NeuStar, which sells managed DNS services and an interim fix to cache poisoning attacks called Cache Defender. The problem, Joffe says, is that "we're still a year or more away from DNSSEC deployment."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags dns flawKaminsky

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Carolyn Duffy Marsan

Network World
Show Comments

Father’s Day Gift Guide

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?