Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

DNS Inventor Tackles Flaw

Posted by ScuttleMonkey on Mon Nov 10, 2008 10:57 AM
from the always-evolving dept.
Security The Internet
nk497 writes "Dr Paul Mockapetris is looking to fix the flaws in the Domain Name System he helped invent. 'It was never meant to be the only security mechanism for naming data on the internet, but was intended for additional security measures to be added to it later.' The flaws, first uncovered by security researcher Dan Kaminsky over the summer, lets attackers redirect genuine URLs to malicious ones — a problem Mockapetris believes could be solved using digital signatures."
+ -
story

Related Stories

[+] Kaminsky's DNS Attack Disclosed, Then Pulled 281 comments
An anonymous reader writes "Reverse engineering expert Halver Flake has recently mused on Dan Kaminsky's DNS vulnerability. Apparently his musings were close enough to the mark to cause one of the Matasano team, who apparently already knew of the attack, to publish the details on the Matasano blog in a post entitled 'Reliable DNS Forgery in 2008.' The blog post has since been pulled, but evidence of it exists on Google and elsewhere. It appears only a matter of time now before the full details leak." Reader Time out contributes a link to coverage on ZDNet as well.
[+] Kaminsky DNS Bug Claimed Fixed By 1-Character Patch 120 comments
An anonymous reader writes "According to a thread on the bind-users mailing list, there is nothing inherent in the DNS protocol that would cause the massive vulnerability discussed at length here and elsewhere. As it turns out, it appears to be a simple off-by-one error in BIND, which favors new NS records over cached ones (even if the cached TTL is not yet expired). The patch changes this in favor of still-valid cached records, removing the attacker's ability to successfully poison the cache outside the small window of opportunity afforded by an expiring TTL, which is the way things used to be before the Kaminsky debacle. Source port randomization is nice, but removing the root cause of the attack's effectiveness is better."
Update: 08/29 20:11 GMT by KD : Dan Kaminsky sent this note: "What Gabriel suggests is interesting and was considered, but a) doesn't work and b) creates fatal reliability issues. I've responded in a post here."
Submission: DNS inventor tackles flaw by nk497 (1345219)
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

DNS Inventor Tackles Flaw 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Hmm... (Score:4, Insightful)

    by tripdizzle (1386273) <<moc.liamg> <ta> <nontossrlaoc>> on Monday November 10 2008, @10:59AM (#25705099)

    but was intended for additional security measures to be added to it later

    Ok, so this approach where you release something half-way done and fix it later is much older than I thought.

    • Perhaps they could have enforced 32-bit public key encryption?

    • Re:Hmm... (Score:5, Insightful)

      by gnick (1211984) on Monday November 10 2008, @11:24AM (#25705577) Homepage

      but was intended for additional security measures to be added to it later

      Ok, so this approach where you release something half-way done and fix it later is much older than I thought.

      Well, yeah. Here's the first instance I know of:

      Carl: Hey, I just figured out that by attaching a piece of slate and some handles to this thing I call the "wheel", I can haul around deer carcasses much more easily than my previous method of throwing them over my shoulder and crawling. I call this new contraption the "wheelbarrow".

      Lenny: That's great! I think that I'll use it to haul home my fiance after I propose by clubbing her over the head. When I'm moving people around with it, I'll call it a "car". Of course, if anyone wanted to use the "car" for frequent trips or moving multiple people around, they'd have to make significant improvements.

      Homer: Your car sucks. Why in the hell did you design it like this? This thing looks like it was made to haul around deer carcasses, not people! This is obviously an incomplete solution - Why did you show it to us without perfecting it first!?! You're an idiot.

      Preemptive retort to silly overly-critical responses: I agree, it is a deeply flawed analogy. It's primary intent was humor while only lightly relating to the incomplete implementation of the DNS system.

      Cheers.

  • I tried to RTFA... (Score:5, Funny)

    by dkf (304284) <donal.k.fellows@manchester.ac.uk> on Monday November 10 2008, @11:00AM (#25705115) Homepage

    ... but it seems that a DNS attack redirected it to a fluff piece without any useful content.

  • Really, the only way to get ISPs to offer secure DNS protocols is to require it by law. Otherwise, its just their nature not to do, to be lazy and ignore it, as they do with IPv6. So mandate it by law I say.

    • You always have the option to boycott that ISP, but if you live somewhere like I do, you only have one broadband option.

      • Re:Law is only way (Score:5, Funny)

        by howdoesth (1132949) on Monday November 10 2008, @11:08AM (#25705253)

        You always have the option to boycott that ISP, but if you live somewhere like I do, you only have one broadband option.

        I see you're using the sense of "always" that means "occasionally" or even "very rarely."

        • Re:Law is only way (Score:4, Funny)

          by tripdizzle (1386273) <<moc.liamg> <ta> <nontossrlaoc>> on Monday November 10 2008, @11:11AM (#25705315)
          Not really, you do not need the internet to survive, its a luxury.

          • I don't need it to survive as such, but internet access is pretty much a job requirement when working in my field, so I need it to buy food. :D.

            • Boycott is still an option, just a very inconvenient one due to your life choices. If your ISP options were bad enough, you could change careers or move. Those are major adjustments to (I assume) minor grievances, so I suspect that you'll do neither. There are only a few things that can't be boycotted if the situation is dire enough.

              Don't like your ISP options? Sign off the Internet when at home or move.
              Think music costs too much? Stick to free music services or limit yourself to your current collectio

              • but a boycott is a group tactic, not a personal tactic. boycotting is basically a form of economic coercion, but economics being a social science requires that you take group behaviors into account. so if it's too impractical to boycott a particular business, then it's basically impossible to boycott them since not enough people will engage in the boycott to really make it work.

                broadband internet access is essentially a service with inelastic demand. to make things worse, communications networks (telecoms/c

          • Just like central heating, electricity, piped water supplies, and your car.

          • I telecommute, you insensitive clod!

              • Re:Law is only way (Score:5, Insightful)

                by zacronos (937891) on Monday November 10 2008, @02:19PM (#25709061)

                So if your internet at home went down, would you wither up and die?? Or just a little inside?

                No, but considering the fact that I live over 1,500 miles from the office where I work, it is not merely a luxury that I telecommute. If I can't have broadband Internet, I'll need to quit my job and find another, convince my wife to quit her job and sell our house during the housing market slump so we can move (either somewhere I *can* have broadband Internet, or somewhere within driving distance of my company's office), or leave my wife behind so I can move. I can't simply boycott the only broadband ISP in my area on a whim, as you suggest -- it is a much, much bigger issue for me.

                You're creating the false dichotomy that everything which is not necessary to survive is a luxury. I agree that I do not strictly need broadband Internet to survive, but disagree that the Internet is a luxury, for me at least. Perhaps you would have no problem boycotting utility companies if you felt they were doing something irresponsible, since after all electricity, water, natural gas, etc are not necessary for survival (and in fact many people in the world do not have these things), but most people in the US would argue that they are more than luxuries. Maybe you are lucky enough to have well or cistern water, and live in a climate where winter heating isn't necessary for survival, or perhaps you have a wood-burning stove/fireplace that could heat your house if you don't have electricity or natural gas -- but that doesn't mean that they are luxuries for everyone, irrespective of the circumstances of that person's life.

                Those are more extreme examples, but the fact is that my life is currently based around having broadband at home, and although I could do without it (just as I could do without electricity, natural gas, and city water), I would need to make very large changes to my life to do so.

                • So if your internet at home went down, would you wither up and die?? Or just a little inside?

                  No, but considering the fact that I live over 1,500 miles from the office where I work, it is not merely a luxury that I telecommute. If I can't have broadband Internet, I'll need to quit my job and...

                  It's interesting to note throughout the advance of civilisation the passage of things from the category of luxuries to the category of necessities. This is not an attutudinal shift, but a real one. To entertain further, the idea of "getting back to basics" such as hunting your own food (a good idea in certain rural areas, not so good in Chicago) turns out to be more of a luxury than a necessity, in an inversion of the trend. It's often seen that people confuse the two categories (these people are often i

                  • I didn't read everything you bothered to type, but you could always find another job.

                    Yes, I said that myself at the beginning of the second sentence of my comment. (Perhaps you should actually read what I typed before assuming you know what point I'm trying to make.) Do you really think it should be worthwhile for me to quit my job just because there are no broadband ISPs that offer secure DNS where I live?

      • That's why we also need competition in internet access services. And I don't mean just a 2nd provider. We need enough providers to be sure at least one will be innovative in a technology way (not just innovative in a marketing way). We need enough providers to be sure at least one will do things right. I believe that means we need at least 6 such providers. Unfortunately, that is not a practical number of infrastructure overbuilds. So we need some kind of shared, neutral, "last mile" facility that all

    • Re: (Score:2, Informative)

      by mmell (832646)
      That's right - let the Governments of the world fix the internet by legislation; after all, we all know how well the government understands the tubes of the intarweb. Perhaps Al Gore could be tapped to spearhead this incredibly important piece of legislation.

      • Re:Law is only way (Score:5, Insightful)

        by Cerberus7 (66071) on Monday November 10 2008, @11:29AM (#25705669)

        True enough, but the Almighty Invisible Hand of the Free Market isn't taking care of this, either.

        • Free markets work well as long as there is a free market. Since no ISPs are fixing this, or IPv6, and most customers wouldn't understand the problem, there is no demand and hence no market, let alone a free one.

          This does not mean that legislation is the right answer; the government may mandate a poor solution. Unfortunately it will only be when this becomes a high-profile security risk that demand will rise.

        • Re: (Score:3, Informative)

          by megamerican (1073936)

          The free market can not exist in environments where the government gives special monopolies to a few companies. The only real competition in this market is for these companies to protect their monopolies.

          John D. Rockefeller said, "Competition is a sin."

          A great muckraking book on this topic is Confessions of a Monopolist, written in 1903.

          This kind of thing has been going on ever since the Supreme Court brazenly declared that a corporation has the same rights as a natural person.

        • Was the flaw not swiftly patched in a few days after its discovery in most ISPs worldwide ? No law could have achieved that but the idea that some ISPs could get attacks by not acting while other would be immune to it is a tremendous incentive to act in a free market.

        • There's not enough value in implementing DNSSEC. That is, of course, why you're proposing a law. Laws are needed to get people to do things that are irrational.

    • Look at the history of DNSsec; the specs have been done and redone several times over, there is no consensus, and it looks like it would be a bitch to admin.

      • Re:Hm, that and DNSsec sucks ass (Score:5, Interesting)

        by Ed Avis (5917) <ed@membled.com> on Monday November 10 2008, @11:41AM (#25705885) Homepage

        Can someone explain what is the point of DNSsec? An https website already has its own certificate which authenticates you are talking with the right person, and https is designed to be secure without trusting DNS. If DNSsec had been widely implemented twenty years ago then secure protocols might have evolved in a different direction, but given where we are now, what problem does DNSsec solve?

        Similarly if you use ssh then the server authenticates to you with its own keypair. You don't need to trust that DNS gives the right answer.

        Is DNSsec just to stop denial of service attacks on the DNS infrastructure and trivial hijacking of insecure protocols like telnet and http?

        • Re:Hm, that and DNSsec sucks ass (Score:5, Interesting)

          by Charlotte (16886) on Monday November 10 2008, @12:22PM (#25706733)

          Can someone explain what is the point of DNSsec? An https website already has its own certificate

          DNS is a naming service, but it was never designed to be a trustworthy naming service. If it was, then DNS spoofing would have been impossible. Another reason why, currently, SSL certificates are needed is IP address spoofing. But if your certificate is embedded in a DNS entry then there is no reason for anyone to need a third-party-signed certificate at all. All you really need is a single source of trust. Right now we have 2: the root nameservers and the root SSL certificate authorities.

          So if we fix DNS then we can skip SSL root CAs entirely and just go with DNS. But SSL certs are a lucrative business, which is why Verisign et. al. don't want DNS to be fixed. It would be the end of their best cash cow. But fixing it is necessary for the internet to become a truly trustworthy place of business.

          The article, BTW, strikes me as odd. Isn't it Paul Vixie who has been campaigning for DNSSEC for ages now? He isn't even mentioned.

          • How does DNSSEC protect against SSL MitM attacks? Would there be secure DNS records for SSL keys/signatures? Doesn't DNSSEC itself need a CA? Anyway, there will be plenty of SSL CA business for many years during the gradual transition to DNSSEC.

          • It's a weird article. I'm not exactly certain what information was actually conveyed or what Paul Mockapetris was actually saying and I know Paul. (scratches head).

            Poeple need to adopt DNSSEC. Yeah ok, whatever. A few poeple think this is giving too much power to verisign (again) and Dan Bernstein has other ideas and isn't fond of DNSSEC.

            http://cr.yp.to/djbdns/forgery.html [cr.yp.to]

            "All you really need is a single source of trust. Right now we have 2: the root nameservers and the root SSL certificate authorities."

            Wel

        • DNSSec protects against a kind of attack that doesn't exist and never happens, by making attacks that do happen (like denial-of-service) easier to mount.

          DNSCurve, a younger, competing protocol protects against most of the attacks DNSSec is designed to, and even protects against some denial-of-service attacks.

          However, the other part of your question, about is SSL sufficient, the answer is no [mozilla.org]. It demonstrates nicely why a security extension needs to be one we can roll out quickly so that we can start blocki

        • DNSSEC is not an https replacement, nor a replacement for ssl keys. Many services that require DNS resolution (and that the resolution be good,) do not happen over https or ssh (it often comes as a surprise to some people that the internet is not the web, but ping or smtp are two prominent examples that often use DNS; calling http trivial doesn't actually make it so, and http is vulnerable still.) That https/ssl can secure the communication between you and a webserver is not of much use if the cert has been

      • Re: (Score:2, Insightful)

        by bnjf (207794)

        http://dnscurve.org/index.html [dnscurve.org]

        DJB's take on it, although it's gone quiet...

    • As an ISP, I'd happily implement a secure DNS protocol if there were one - right now the closest thing is DNSCurve [dnscurve.org], but it seems that the asshats that created the problem- are prone to continue promoting a "solution" that requires more powerful hardware, puts servers and clients at a greater risk for denial-of-service attacks, and frankly doesn't work.

      DNSCurve seems very attractive, but would require cooperation from the root servers- some of which have a vested interest in promoting the unworkable and bro

      • Re: (Score:3, Funny)

        by Sanat (702)

        "Take the American government"

        Fixed it for you

        Take the American government please.

  • Mockapetris (Score:5, Interesting)

    by Detritus (11846) on Monday November 10 2008, @11:10AM (#25705281) Homepage
    Mockapetris wrote a nice book on the ideas behind the domain naming system, which is sadly long out of print. One statement that he made has always stuck in my mind, "names are not routes are not addresses". Keeping those things distinct and well-defined avoids many problems.
  • Maybe we can ledit it too.
  • DNSsec, obviously, is the solution. The problem is the same problem with IPv6: The old way of doing things are so entrenched that it's very hard to make the transition. The other problem is that we're still trying to figure out how to do it correctly; the last time I looked over the specs, DNSsec allowed you to have it so the signing machine didn't have to be online, made it difficult to forge NXDOMAINs ("This host does not exist" DNS messages), but made it trivial to list all of the hosts in a given doma

    • Re: (Score:3, Informative)

      by Russ Nelson (33911)

      It's not a question of DJB being too lazy to implement BIND zonefiles. It's more a question that BIND zonefiles must die because they're astoundingly difficult to parse, and even if they weren't, they're prone to user edit failures. Ever forgotten a dot at the end of a name? I haven't -- not since switching to djbdns.

      • What he said. I mean really. If anybody still thinks BIND zonefiles are a good idea they should bloody well be forced to write a program that parses them and good luck.

        (Oh, btw, hi russ)

        I realize there's an obligate duty for an car analogy here, but, so sorry. *

        You'll have to settle for instruction sets. BIND files are now commonly bigger than most old programs, so what you have to write to get what you want to happen is important. BIND is like an old clunky assembler with bizarre and arcane properties. IBM

  • I [tubgirl.com]hope someone [nimp.org] takes steps to deal with this [meatspin.com]. Imagine if [lemonparty.org] every link someone posted had to be regarded [flurl.com] with suspicion. It would be the end of the internet [encycloped...matica.com]

  • No need to fix this problem (Score:4, Insightful)

    by damn_registrars (1103043) on Monday November 10 2008, @12:10PM (#25706503) Journal
    ICANN is going to start selling new gTLDs that will turn the current DNS system into arbitrary mish-mash anyways. Just wait until we start seeing links to .cheapdrugs domains, and we try to find the DNS info for that.

    Then we'll find ourselves longing for the current DNS problem.

    • Re:We'll add security later (Score:5, Informative)

      by Hal_Porter (817932) on Monday November 10 2008, @11:24AM (#25705585)

      Not really. Back when DNS was invented (1982) pretty much everything connected to the Internet was essentially a trusted machine. Arguably that was almost true until the Morris worm in 1988. Of course you could never truly trust them, but the idea was that if someone did something silly other people would phone them and then they would stop. Essentially it was an anarchy populated by non malicious people.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.