Wednesday, July 9, 2008

DNS vulnerability

A vulnerability in the DNS protocol was discovered yesterday by Dan Kaminsky and announced in several places. Although it is not entirely clear if this was the first time the vulnerability was discovered, this is definitely the first time it gets acknowledged by the Internet comminity as a whole.

As I was out of the office yesterday all day, I spoke to a few colleagues today to discuss it.

Most of my co-workers are technically very skilled, which is why I was rather surprised to find out that most of them do not know in detail how DNS works. It goes too far to outline exactly what terms like recursive lookup, Query ID, root server, caching server, resolving, zone transfer, etc. mean in this post, but let me summarize the vulnerability in the way I explained it to the C-level.



DNS is one of the most fundamental building blocks of the Internet.
Its function is to automatically translate Internet Domain Names to
numerical IP addresses.

This functionality is used to
connect your browser to the servers of your bank, our students browsers
to the enrollment system, or our backend system to our payment
processor.

Yesterday's vulnerability concerns the DNS
mechanism itself, not the way it has been implemented by different
vendors. Once this vulnerability becomes exploitable, one of the most
fundamental trust-mechanism on which the Internet relies heavily
becomes compromised and Bad Things might happen.

My
recommendation is that we re-evaluate our DNS architecture and apply
vendor patches soon after they are released. As per recommendation,
these patches do not have to be applied (yet) as emergency patches and
they can be tested according to our regular change management process.

These are interesting times.

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.