Security Researcher Kaminsky Pushes DNS Patching 57
BobB-nw writes "Dan Kaminsky, who for years was ambivalent about securing DNS, has become an ardent supporter of DNS Security Extensions.
Speaking at the Black Hat DC 2009 conference Thursday, the prominent security researcher told the audience that the lack of DNS security not only makes the Internet vulnerable, but is also crippling the scalability of important security technologies. 'DNS is pretty much our only way to scale systems across organizational boundaries, and because it is insecure it's infecting everything else that uses' DNS, the fundamental Internet protocol that provides an IP address for a given domain name, said Kaminsky, director of penetration testing at IOActive. 'The only group that has actually avoided DNS because it's insecure are security technologies, and therefore those technologies aren't scaling.'"
Who is Dan Kaminsky (Score:5, Informative)
Re:Who is Dan Kaminsky (Score:5, Informative)
http://blogs.technet.com/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx
E
Re:One trick pony (Score:4, Informative)
Why think when you can actually check?
http://tinyurl.com/dg5h7z [tinyurl.com]
See link 1, click once. Read the last two paragraphs. To me that seems like a published position.
Click the "back" button. Read the next few links.
Enjoy.
E
I think you're wrong... (Score:3, Informative)
I think you're confusing Dan with Mark Russinovich
I think GP isn't. It may be true that Mark discovered the rootkit, but I distinctly remember watching one of Dan's talks (at shmoocon, I think) in which he talks about him scanning udp/53 of teh w0hle intarnets and figuring out that a lot of caches knew about a name more or less only connected to the sony rootkit before Dan came and asked for it.
Dan did some research. Not all of it, and not the first of it, but some of it.
Re:Bad Article, Bad Summary (Score:2, Informative)
I don't want to bore those who are just here to increase their karma but security of DNS means both security of DATA and security of the TRANSFER of said data. The encludes AUTHENTICATION, ENCRYPTION, and secure endpoints to facilitate both without being compromised.
E
Re:The only group that has actually avoided DNS (Score:3, Informative)
Avoided? then WHAT is this: www.ioactive.com ???
It's a website, not a security technology.
If you want a security technology that uses DNS, ask for opportunistic IPSEC.
Re:DJB discovered the "Kaminsky bug" (Score:5, Informative)
djb thought potential exploits would appear without port randomization, but he didnt discover this particular flaw. Kaminsky did. As a car analogy, its like saying putting chips in keys keeps cars from being stolen, but coming up with a non-obvious hack that always starts the car without a key is its own work. Even Schneier says so [schneier.com]:
Kaminsky's vulnerability is a perfect example of this. Years ago, cryptographer Daniel J. Bernstein looked at DNS security and decided that Source Port Randomization was a smart design choice. That's exactly the work-around being rolled out now following Kaminsky's discovery. Bernstein didn't discover Kaminsky's attack; instead, he saw a general class of attacks and realized that this enhancement could protect against them. Consequently, the DNS program he wrote in 2000, djbdns, doesn't need to be patched; it's already immune to Kaminsky's attack.
Re:Bad Article, Bad Summary (Score:3, Informative)
AUTH=Make sure you get your data from the right sources.
Okay.
ENCR=make sure the data are correct.
Huh?
Encryption makes the information secure from snooping, which is pointless in the case of DNS as it is public information by definition.
Signing makes sure the data has not been tampered with. Which is more or less the same as authentication.
Sorry to disappoint you, but you can't "verify" DNS by "querying" if the original data are unprotected.
That is the general idea of how SSL and the CA's work, only with DNS we don't really care if other people know what you are looking for, we just care that we are getting the correct response from the correct server, which requires signing of the responses, which is authentication. That is, with DNS we only really need signing of the data for transfers and queries, not encryption.
Re:Who is Dan Kaminsky (Score:5, Informative)
No, Kaminsky used an interesting technique to map the spread of the Sony rootkit - http://www.securityfocus.com/news/11369 [securityfocus.com]
Saying "he also did research regarding the Sony rootkit" is entirely accurate.
Re:Job title (Score:2, Informative)
From memory, having read Pynchon's Gravity's Rainbow in the 1970s, and not since: