Companies still failing to patch DNS

Companies are still failing to secure DNS networks despite the threat posed by last year's security flaw, according to the flaw's discoverer, Dan Kaminsky.

Share

Companies are still failing to secure DNS networks despite the threat posed by last year's security flaw, according to the flaw's discoverer, Dan Kaminsky.

Kaminsky warns firms fail to patch DNSEven the US federal government had missed its own deadline for rolling out DNSSEC, he pointed out.

Speaking at the Black Hat DC 2009 conference, Kaminsky told the audience that the lack of DNS security not only made the Internet vulnerable, but was also crippling the scalability of important security technologies.

DNS “is pretty much our only way to scale systems across organisational boundaries, and because it is insecure it's infecting everything else” that uses DNS, the fundamental Internet protocol that provides an IP address for a given domain name, said Kaminsky, director of penetration testing at IOActive.

"The only group that has actually avoided DNS because it's insecure are security technologies, and therefore those technologies aren't scaling."

Kaminsky began promoting DNSSEC last summer, following his discovery of a significant DNS flaw - known as the Kaminsky Bug - where cache poisoning attacks allow a hacker to redirect traffic from a legitimate website to a fake one without users realising it.

DNSSEC attempts to prevents spoofing attacks by allowing websites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.

Despite the fact that key operating system vendors - including Sun, Cisco and Microsoft - released patches to temporarily fix the flaw, Kaminsky said DNS security has not been widely adopted.

The US government, for example, missed its January deadline for rolling out DNSSEC on the .gov top-level domain, and is aiming to complete the task by the end of February and to patch all subdomains by December.

One roadblock to DNSSEC adoption is that it is not easy to implement, Kaminsky admits, and calls for coordination by many parties. DNSSEC requires domain name registrars, domain name registries, ISPs and users to upgrade their software.

Still, Kaminsky said DNSSEC offered the most feasible solution to a serious threat.

"We need to put out the immediate fire," he said. "We should stop arguing whether DNS should be used for security and [just] use it for security because it scales."

At the conference, Kaminsky stressed the importance of securing not only DNS servers on the Internet, but those behind firewalls as well. This is because web applications such as email and browsers can be manipulated to perform DNS lookups, and therefore are vulnerable to penetration.

"There should be no important servers that are vulnerable," he said.

"Recommended For You"

DNS flaw discoverer says more permanent fixes will be needed VeriSign to secure the Internet with DNSSEC