Major DNS flaw could disrupt the Internet

A fundamental flaw in the Domain Name System protocol that would allow an attacker to massively disrupt the Internet has been discovered by a researcher, prompting CERT to issue an alert and major DNS software vendors to issue patches today.

DNS servers across the 'Net and in corporate networks translate host names to IP addresses, and vice versa, allowing for normal Internet use. But a flaw in the underlying protocol leaves them open to being hijacked. And according to the researcher who made the discovery of the critical DNS flaw, Dan Kaminsky, director of penetration testing at IOActive, it's now up to ISPs and corporate network managers to apply the DNS patch software patches released today.

Hear Dan Kaminsky's explanation of the flaw, in our Newsmaker of the Week podcast. 

"We worked with vendors on a coordinated patch," said Kaminsky, noting this is the first time such a coordinated multi-vendor synchronized patch release has ever been carried out. Microsoft, Sun, ISC's DNS Bind, and Cisco have readied DNS patches, said Kamisnky. "The patch was selected to be as non-disruptive as possible."

Lack of an applied patch in the ISP infrastructure would mean "they could go after your ISP or Google and re-direct them pretty much wherever they wanted."

Both current and older versions of DNS may be vulnerable, Kaminsky says, and patches may not be available for older DNS software. He says Yahoo was vulnerable because it uses an older version of BIND but had committed to upgrading to BIND 9.0.

Kaminsky says there's a way to check for vulnerability to the DNS flaw by visiting here.

Kaminsky hinted the problem centers around lack of sufficient port randomization related to the transaction ID of a query but added he would feel more at liberty to discuss the problem publicly in about a month, after the bulk of DNS patching has presumably been done.

Kaminsky says he stumbled on the problem by accident about six months ago, kept quiet about it publicly. He also organized an industry-wide response that culminated in 16 researchers converging on the Microsoft campus in late March to address the problem.

"Several ISPs have been informed," said Art Manion, vulnerability assessment team lead at the CERT Coordination Center, who joined Kaminsky on a conference call today to discuss the DNS flaw and its implications for ISPs and corporate networks. He added that several government agencies worked closely with CERT to address the DNS flaw issue.

While the DNS patch upgrade should go fairly smoothly, Kaminsky says, there is the potential that if the DNS fix is not applied correctly, people could suffer a "sudden outage."

The majority of the patching focuses on DNS servers, but there also may be "little clients, where those hosts are vulnerable as well," says Kaminsky, noting that so far no known exploit of the DNS flaw has been seen so far.

Jeff Moss, founder of the Black Hat conference, applauded Kaminsky for treating the DNS discovery he made with a sense of responsible disclosure, rather than selling the information to the highest bidder, a practice growing increasingly common.

"If he had decided to sell it, he would have made hundreds of thousands of dollars," Moss concluded.