Kaminsky: DNS Is Still in Danger
Page 1 of 1
Speaking today at the Black Hat security conference today, Kaminsky said that not only is the flaw he uncovered in DNS -- the system that translates domain names into IP addresses -- still widely unpatched, it's now being exploited.
"Because DNS is insecure, its insecurity infects everything that uses it," Kaminsky told the capacity Black Hat crowd. "Is anyone out there actually attacking DNS? Turns out the answer is yes."
Kaminsky discovered the vulnerability in DNS last year. If not patched, the security hole has potentially wide-ranging implications: Using a cache-poisoning flaw in the system, attackers could trick DNS servers into forwarding Internet users to any arbitrary addresses -- putting the entire Internet at risk.
"When DNS fails, everything dies," Kaminsky said today. "DNS tells you how to get there, but it doesn't tell you what to expect when you arrive."
The researcher worked with major networking vendors to produce patches to fix the problem, and later presented his findings on the flaw at the Black Hat Las Vegas show in 2008.
Kaminsky today said that he had initially expected 50 percent of all DNS servers to be patched after a year. According to his own research, the figure after 6 months stands at approximately 66 percent.
Yet there's still reason for worry. Kaminsky said that researchers at Georgia Tech have been monitoring infection rates on DNS servers over the past six months. Though Kaminsky did not provide specific numbers, he claimed that they had seen an increase in the number of infected servers since January.
The concerns don't end there. The fix that Kaminsky helped push out in 2008 -- dubbed the Source Port Randomization Patch -- had not been intended as a long-term fix. Instead, he and the networking vendors he worked with viewed it as just a way to make DNS cache poisoning more difficult to execute.
Kaminsky said he now sees DNSSEC (DNS Security Extensions) as the right approach to make DNS secure. DNSSEC adds encryption to DNS, ensuring that domain information is secured and validated. Numerous security experts recommended its adoption at the time of Kaminsky's original DNS disclosure.
But using DNSSEC is not without its own hurdles, Kaminsky added.
"The DNSSEC protocol is good, but implementations are difficult," he said.
One of the challenges is having the root DNS zone digitally signed for DNSSEC. To date, that hasn't happened, though VeriSign, the company that manages the root DNS zone, has indicated that it's working on the issue.
The process of actually managing DNSSEC also need to be improved, Kaminsky said.
"DNSSEC need to be far more automated than it is today to reduce the amount of manual effort for key signing and updating," he said. "For DNSSEC to scale, it must be as straightforward to install as the Source Port Randomization Patch was. That doesn't mean that patch was trivial to install, but it was a one-time operation that took care of itself after being deployed."
Kaminsky's not the only one worrying about the challenges in deploying DNSSEC. The problem led to the creation of the DNSSEC Industry Coalition to help figure out how to overcome the implementation challenges. VeriSign is a member of the coalition.
Kaminsky also suggested that in addition to the root, a good idea would be to also allow opt-in to local and national Trust Anchor Repositories. In such a system, all trust isn't centralized in the U.S. with VeriSign. For example, Russian name server admins could self-manage the .ru domain.
How long it might take to simplify DNSSEC's deployment remains unclear. But to Kaminsky, the goal is worthwhile.
"Once we make DNS secure, an entire class of security problems may be possible to efficiently solve," he said.