Open source software security

DNS Debacle

30 November -0001

Most people are probably blissfully unaware, but security researcher Dan Kaminsky discovered a very serious flaw in DNS (Domain Name System) and was waiting until Black Hat to release the details. Well, as with all secrets, if more than one person knows it, soon it's not a secret. The vulnerability was announced two weeks ago by US CERT and major vendors have been working to apply patches. However, most of the public was unaware of how the vulnerability would affect them, or how an exploit would work. Well, it seems that details of the vulnerability were leaked by Matasano and despite their quick retraction the story was soon cached and picked up and run with and well, you know how these things go once they hit the internet. Despite the fact that there is a possibility that this flaw was discovered three years ago it presents a major threat to the average person on the net.

This vulnerability relies on a race condition in response to DNS queries that leads to cache poisoning. It seems if you can trick someone into rapid fire DNS lookups you can beat their authoritative response with a spoofed one. The crux of the attack is that you can nest additional resource records in your response that can override earlier queries.

This problem shares a lot in common with the lower level protocol flaws that plague the internet. The internet was designed decades ago without today's security concerns in mind. The early computers on the internet assumed trust and didn't anticipate this kind of tomfoolery. DNS serves as one of the cornerstones of the earliest architecture on the internet and has suffered from problems time and time again due to design flaws. Unfortunately the workings of the internet are so closely tied to DNS that there is little we could do to develop an alternative system.

In the meantime pay attention to vendor released patches and apply them quickly.