Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security

Security Researcher Kaminsky Pushes DNS Patching 57

Posted by samzenpus from the protect-ya-neck dept.
BobB-nw writes "Dan Kaminsky, who for years was ambivalent about securing DNS, has become an ardent supporter of DNS Security Extensions. Speaking at the Black Hat DC 2009 conference Thursday, the prominent security researcher told the audience that the lack of DNS security not only makes the Internet vulnerable, but is also crippling the scalability of important security technologies. 'DNS is pretty much our only way to scale systems across organizational boundaries, and because it is insecure it's infecting everything else that uses' DNS, the fundamental Internet protocol that provides an IP address for a given domain name, said Kaminsky, director of penetration testing at IOActive. 'The only group that has actually avoided DNS because it's insecure are security technologies, and therefore those technologies aren't scaling.'"
This discussion has been archived. No new comments can be posted.

Security Researcher Kaminsky Pushes DNS Patching More

Security Researcher Kaminsky Pushes DNS Patching

Comments Filter:

  • Re:One trick pony (Score:3, Interesting)

    by Xiroth ( 917768 ) on Thursday February 19, 2009 @08:34PM (#26923983)

    Meh, I dunno about that. He's clearly got a pretty brain for finding flaws, and he's obviously got experience in the area, so he's a perfectly good cracker resource. You can't see everything from the security side - Whites and Greys need to have their input heard too.

  • Re:One trick pony (Score:3, Interesting)

    by John Hasler ( 414242 ) on Thursday February 19, 2009 @08:36PM (#26923999) Homepage

    > I think I'll go with what Bruce Schneier and other security researchers suggest.

    Which is...

  • Why is this a problem? (Score:2, Interesting)

    by Dallas Caley ( 1262692 ) * <dallascaley@gmail.com> on Thursday February 19, 2009 @08:57PM (#26924163) Homepage Journal

    Ok i am probably going to show my ignorance here, almost certainly, but it seems to me that this is a good thing, isn't it? Don't we want to have a secure DNS system? Or is it the case that securing the system will somehow limit our freedom or something like that?

    Yes i know this is a very generic question but i would like to know

  • Bad Article, Bad Summary (Score:5, Interesting)

    by Wowlapalooza ( 1339989 ) on Thursday February 19, 2009 @09:03PM (#26924193)

    Kaminsky supports patching existing nameservers (to increase query source-port entropy and thus make the so-called "Kaminsky" attack far less likely to succeed).

    He also supports DNSSEC as the long-term solution to the whole class of vulnerabilities.

    But these are not the same thing.

    Patching DNS servers is done to the nameserver programs, DNSSEC is done to the nameserver configurations and to the DNS data itself.

    The article, and Slashdot's summary of it, mixes up the two in an unfortunate salad. Very disappointing indeed.

  • The only group that has actually avoided DNS (Score:2, Interesting)

    by citizenr ( 871508 ) on Thursday February 19, 2009 @10:07PM (#26924587) Homepage
    "'The only group that has actually avoided DNS because it's insecure are security technologies, and therefore those technologies aren't scaling.'"

    Avoided? then WHAT is this: www.ioactive.com ???

  • Re:DJB discovered the "Kaminsky bug" (Score:3, Interesting)

    by afidel ( 530433 ) on Friday February 20, 2009 @01:03AM (#26925585)
    Oh, as we discovered after the patching for the Kaminsky bug ANY DNS server is vulnerable if it sits behind a firewall that uses static or weakly randomized source ports. This means your DNS software might could be perfectly designed but if your firewall doesn't cooperate you're still vulnerable. I don't believe any home firewall does port randomization correctly and more than a few high end ones don't either.

  • Re:DJB discovered the "Kaminsky bug" (Score:3, Interesting)

    by slash.duncan ( 1103465 ) on Friday February 20, 2009 @04:03AM (#26926335) Homepage

    I think most OpenWRT/DD-WRT, etc, firewalls do srcport randomization reasonably well, at least if they're based on a reasonably new 2.4 or 2.6 kernel. There's a lot of home firewalls running those sorts of user-upgraded firmware. And there's a reasonable number of folks running a Linux/Netfilter based firewall either on their normally used computers directly, or on a dedicated firewall computer (say an old 586), too. Plus all those that went with a *BSD based firewall instead.

    Sure, by absolute numbers, there's likely a lot more running shipped or upgraded manufacturer's image firmware, but that wasn't your claim. Your claim was "any" home firewall, which without further qualification means it just takes one counterexample to disprove the claim, and I'm sure there's at least dozens if not hundreds or thousands of examples among /.ers reading this article alone.

    But if you believe Netfilter based *WRT or standard Linux firewalls on relatively recent kernels aren't sufficiently random, by all means, please provide a link to a discussion thereof ASAP, as I and I'm sure many other /.ers need to make some changes in our configs...

  • Re:Bad Article, Bad Summary (Score:3, Interesting)

    by Effugas ( 2378 ) * on Friday February 20, 2009 @11:49AM (#26930017) Homepage

    This is true historically. However, I (this is Dan Kaminsky) think it's a mistake now. DNSSEC needs to be pushed into the nameserver's automated functionality about as deeply as possible. Administrators simply cannot be asked to maintain this data, manually resigning zones, manually keeping keys from expiring. It doesn't scale.

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close