Security researcher Kaminsky pushes DNS patching

Tells Black Hat DC crowd that organizations have been slow to react despite Kaminsky Bug

WASHINGTON, D.C. - Dan Kaminsky, who for years was ambivalent about securing DNS, has become an ardent supporter of DNS Security Extensions.

Speaking at the Black Hat DC 2009 conference Thursday, the prominent security researcher told the audience that the lack of DNS security not only makes the Internet vulnerable, but is also crippling the scalability of important security technologies.

"DNS is pretty much our only way to scale systems across organizational boundaries, and because it is insecure it's infecting everything else that uses" DNS, the fundamental Internet protocol that provides an IP address for a given domain name, said Kaminsky, director of penetration testing at IOActive. "The only group that has actually avoided DNS because it's insecure are security technologies, and therefore those technologies aren't scaling." Kaminsky began promoting DNSSEC last summer, following his discovery of a significant DNS flaw — known as the Kaminsky Bug  — where cache poisoning attacks allow a hacker to redirect traffic from a legitimate Web site to a fake one without users realizing it. (See how cache poisoning attacks work.)  DNSSEC attempts to prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.

Despite the fact that key operating system vendors — including Sun, Cisco and Microsoft — released patches to temporarily fix the flaw, Kaminsky said DNS security has not been widely adopted.

The U.S. government, for example, missed its January deadline for rolling out DNSSEC on the .gov top-level domain, and is aiming to complete the task by the end of February and to patch all subdomains by December.

One roadblock to DNSSEC adoption is that it isn't easy to implement, Kaminsky admits, and calls for coordination by many parties. DNSSEC requires domain name registrars, domain name registries, ISPs and users to upgrade their software.

Still, Kaminsky says DNSSEC offers the most feasible solution to a serious threat.

"We need to put out the immediate fire," he said. "We should stop arguing whether DNS should be used for security and [just] use it for security because it scales."

At the conference, Kaminsky stressed the importance of securing not only DNS servers on the Internet, but those behind firewalls as well. This is because Web applications such as e-mail and browsers can be manipulated to perform DNS lookups, and therefore are vulnerable to penetration.

"There should be no important servers that are vulnerable," he said.

Learn more about this topic

How DNS cache poisoning works

FAQ: The DNS bug and you

Experts to Feds: Sign the DNS root ASAP

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies