Network Attacks Via DNS

Become a fan of Slashdot on Facebook

This discussion has been archived. No new comments can be posted.

Network Attacks Via DNS

Load All Comments

Search 147 Comments Log In/Create an Account

Comments Filter:

90% of the internet is valnerable ... (Score:4, Interesting)

by after ( 669640 ) writes:

to somthing called DNS poison [google.com]. Why? Because system administrators are anal and fail to realize that software like BIND is not written to be secure. Hell, DNS was not even designed for such a large internet. The original DNS implementors were bad programmers and designers.

BIND9... don't get your hopes up. The BIND company sells paches for their software. Meaning that if you don't pay them money then you're going to be running an errornouse DNS server.

Still most people use BIND for two reasons: no one wants
- Re:90% of the internet is valnerable ... (Score:3, Interesting)
  
  by Anonymous Coward writes: on Sunday August 01, 2004 @08:08AM (#9857170)
  
  ufortunately, djbdns is not open-source. Until a true open source alternative to BIND appears, we're stuck with it.
  
  Parent Share
  twitter facebook
  - - Irrelevant^2 (Score:5, Insightful)
      
      by warrax_666 ( 144623 ) writes: on Sunday August 01, 2004 @08:39AM (#9857221)
      
      The $500 security guarantee is utterly irrelevant. (Btw: Who gets to judge what is a security problem? That's right, DJB himself. If that doesn't tell you something, then you're not the sharpest tool in the shed).
      
      The $500 correpsonds to less than 50 hours at $10 an hour (being extremely generous with the hourly wages here, in favour of the "gaurantee"). Do you think anyone can audit the djbdns source code -- even ignoring the fact that it's largely uncommented and messy (#define, what's that?) -- in 50 hours? No, I didn't think so.
      
      BIND is open source, but that doesn't make it safe and secure. it's probobly more insecure just because of that.
      
      BIND may be Open Source (note capitalization) while djbdns isn't. That doesn't mean you can't get source for djbdns. In fact it's probably easier to get source than binaries for djbdns because of the unbelievably stupid djbdns license.
      
      So they are both equally "insecure" from that perspective.
      
      Parent Share
      twitter facebook
      - Not only irrelevant—it's utterly laughable (Score:2)
        
        by Pan T. Hose ( 707794 ) writes:
        
        The $500 security guarantee is utterly irrelevant.
        
        I not only have seen script kiddies trading private exploits for sums at least an order of magnitude greater than that, but they were selling it to multiple buyers. I am talking about script kiddies, not professionals, mind you. Even $100,000 would be laughable. $1,000,000 might start looking interesting for people not willing to make any serious usage (industrial espionage, etc.) of their exploits. But $500? Please don't mind if I die laughing. See
        
        That is completely irrelevant (Score:2)
        
        by Pan T. Hose ( 707794 ) writes:
        
        $100,000 is probably more money than djb makes in a year. If he offered to sacrifice a year's salary to someone who found a security flaw in software he wrote in his spare time and gives away for free, I would hardly call that laughable.
        
        Daniel Bernstein's salary is completely irrelevant. $500 is not any less miserable (or laughable, for that matter) if it is given by someone who is poor.
        Note also that Schneier's essay is pretty much irrelevant to this situation.
        
        It is hardly irrelevant in m
  - Re:90% of the internet is valnerable ... (Score:4, Informative)
    
    by shepd ( 155729 ) writes: <`slashdot.org' `at' `gmail.com'> on Sunday August 01, 2004 @08:29AM (#9857202) Homepage Journal
    
    >ufortunately, djbdns is not open-source.
    
    Incorrect, it is open source.
    
    It isn't GPL.
    
    There's a big difference.
    
    >Until a true open source alternative to BIND appears, we're stuck with it.
    
    By "true alternative" do you mean it has to be GPLable?
    
    Get real. djbdns' source is 100% available for you to look at and patch to your hearts content. If you find an error, send a fix to DJB and he'll add it after review. He'll even give you $500 [cr.yp.to] as a reward for your hard work. Find me a GPL program that makes an offer like that.
    
    Now, if he doesn't like your patch, you can post the patch on the internet. You can even put it alongside the source. You can even make an autopatch program that will patch djbdns during make so that dumb users can handle the process
    
    For the disbelievers, here's [cr.yp.to] the source code.
    
    Here's [cr.yp.to] bernstein's statement about the freedom of his software. Feel free to print it out and sign it if you're insane on the idea he can revoke your license.
    
    Parent Share
    twitter facebook
    - Re:90% of the internet is valnerable ... (Score:2, Informative)
      
      by Anonymous Coward writes:
      
      That's what people call "shared source". Open Source requires that you can distribute modifications of the source. Bernstein doesn't allow that, so consequentially djbdns is not Open Source. This may or may not make it less valuable to you, but don't lie about the facts to lure others into misevaluating the situation.
      - Re:90% of the internet is valnerable ... (Score:2)
        
        by RPoet ( 20693 ) writes:
        
        Thanks for posting that so I wouldn't have to :) It's sad to see that many people seem to think availability of source code equals Open Source, when the term is clearly defined by the Open Source Initiative. If we tolerate this, Microsoft will have an easy going convincing people that Open Source doesn't matter since they have "Shared Source" already. You have the source, right?
    - Re:90% of the internet is valnerable ... (Score:4, Insightful)
      
      by johnnyb ( 4816 ) writes: <jonathan@bartlettpublishing.com> on Sunday August 01, 2004 @09:03AM (#9857278) Homepage
      
      "Now, if he doesn't like your patch, you can post the patch on the internet. You can even put it alongside the source. You can even make an autopatch program that will patch djbdns during make so that dumb users can handle the process"
      
      Can you make binaries of your new program and distribute them? If not, I can't see how you call this open-source. It cuts off all of the distributors from carrying patched versions that work with their own distribution, instead of whatever way that djb wants.
      
      Parent Share
      twitter facebook
      - Re:90% of the internet is valnerable ... (Score:1)
        
        by DMUTPeregrine ( 612791 ) writes:
        
        EXCEPT Gentoo. Or any other source based distro.
      - Re:90% of the internet is valnerable ... (Score:1)
        
        by shepd ( 155729 ) writes:
        
        >Can you make binaries of your new program and distribute them? If not, I can't see how you call this open-source.
        
        Let's dissect what you just said and turn it into english words.
        
        Can you make a car out of it? If not, I can't see how it's an airplane.
        
        A binary is not source, unless the software was built using machine language. This project wasn't. Therefore, the entire idea of suggesting that limiting the distribution of binaries somehow impacts the freeness of the source is a red herring and makes z
        
        Re:90% of the internet is valnerable ... (Score:2)
        
        by johnnyb ( 4816 ) writes:
        
        "You would be correct in saying this project is closed-binary. The difference is huge."
        
        Open-source typically means the ability to redistribute modified binaries. Even if it doesn't (which, if you read the open-source definition, it does), the usefulness which most people attribute to open-source is lost. If you can't recombine modified binaries into a distribution of software, how "open" is it?
        
        The open-source definition says that the software must be (a) redistributable in both source and binary forms,
    - $500 is nothing. (Score:2, Informative)
      
      by warrax_666 ( 144623 ) writes:
      
      The $500 guantee is worthless. How many hours do you think it takes to audit the djbdns source code? Anything more than 50, and you'd only need to make $10 an hour at your current job to make it a very unprofitable way to spend your time.
      
      (Also: Who judges the "entrants" for the $500 prize? That's right, DJB does, and there are no formal rules as to exactly what qualifies as a security bug).
      - Re:$500 is nothing. (Score:2)
        
        by Dwonis ( 52652 ) * writes:
        
        No, it is worth something. If his software wasn't secure, offering the guarantee would have been an extremely arrogant move. DJB is arguably enough of an asshole that I suspect that there are numerous people who would go out of their way to find security holes in his guaranteed software, just to spite him.
        
        So? (Score:2)
        
        by warrax_666 ( 144623 ) writes:
        
        No, it is worth something. If his software wasn't secure, offering the guarantee would have been an extremely arrogant move.
        Guess what? DJB is extremely arrogant (as many clever people tend to be).
        DJB is arguably enough of an asshole that I suspect that there are numerous people who would go out of their way to find security holes in his guaranteed software, just to spite him.
        You failed to answer my point about who gets to judge the "entrants" and the rules of the contest.
        
        Look, it's a simple matter of
        
        Re:So? (Score:2)
        
        by Dwonis ( 52652 ) * writes:
        
        You failed to answer my point about who gets to judge the "entrants" and the rules of the contest.
        It's irrelevent to my contradiction of your statement, "The $500 guantee is worthless."
        Look, it's a simple matter of economics: Auditing code is mostly tedious and there are sufficiently many ways of earning much more money (and with a guaranteed payoff!) auditing code that no amount of spite is worth it.
        One matter of economics you're not considering is that value and worth are not equivalent to monetary
      - Re:$500 is nothing. (Score:1)
        
        by shepd ( 155729 ) writes:
        
        Let's put it this way:
        
        It's $500 more than most any other "secure" open source project has put up.
        
        $10 an hour is more than you'd make auditing, oh, say, the Linux kernel for fun.
        
        The fact that:
        
        (a) Nobody has claimed they have found an error in DJBs code
        (b) Nobody has claimed that DJB has refused to pay them (AFAIK)
        
        shows the code is, at present, known secure.
    - Re:90% of the internet is valnerable ... (Score:2)
      
      by Zeinfeld ( 263942 ) writes:
      
      >ufortunately, djbdns is not open-source.
      Incorrect, it is open source. It isn't GPL. There's a big difference.
      The point being made is that djbdns is not open in some pretty important ways, like allowing other people to extend it for example.
      Bernstein is a total control freak, he demands that people install and use his code in very specific ways...
      - Re:90% of the internet is valnerable ... (Score:2)
        
        by idiotnot ( 302133 ) writes:
        
        Incorrect, it is open source. It isn't GPL. There's a big difference.
        
        Yes, but the trolls [trollse.cx] have redubbed anything to which you can read the code "Open Source." It confuses the argument, but it makes PHB's feel better about using software not developed by a money-grubbing company (the kind they were taught to like while they were earning their MBAs).
        
        DJB's software is Open Source. It is free-as-in-beer, not free-as-in-speech, perhaps. That said, just because something is Free Software does not make it sup
        
        Wrong (Score:2)
        
        by warrax_666 ( 144623 ) writes:
        
        DJB's software is most definitely NOT Open Source. It violates point 4 of the definition here [opensource.org], which states:
        
        [...] The license must explicitly permit distribution of software built from modified source code.[...]
        
        The DJB license does not do that (and even prevents modified source distribution). End of story.
        
        Re:Wrong (Score:2)
        
        by idiotnot ( 302133 ) writes:
        
        You miss my point -- the whole "Open Source" movement clouds the definitions. OSI embraced the original APSL, which in many ways was more restrictive than the DJB licenses.
        
        There are many things that are open source and not free. DJB's stuff. Quite a bit of UW mail software, etc. etc. You can't distribute a patched version of pine, either, without UW's permission.
        
        OSI obfuscates these issue because the trolls don't get along with RMS.
        
        “Open Source” and “Free Software (Score:2)
        
        by Pan T. Hose ( 707794 ) writes:
        
        You miss my point -- the whole "Open Source" movement clouds the definitions. OSI embraced the original APSL, which in many ways was more restrictive than the DJB licenses. There are many things that are open source and not free. DJB's stuff. Quite a bit of UW mail software, etc. etc. You can't distribute a patched version of pine, either, without UW's permission. OSI obfuscates these issue because the trolls don't get along with RMS.
        
        Actually, the definition of "open source" used by OSI (launched
        
        Re:90% of the internet is valnerable ... (Score:2)
        
        by strobert ( 79836 ) writes:
        
        the parent post that started this all was quick frankly trolling. bind9 was a complete rewrite from the ground up. I don't recall the last time I had an exploit in bind9. I have had multiple openssl and openssh vulnerabilities in the past year however.
        
        So as I have told many people, every network app is going to have its issues. Some have more than others, but with proper patch management (and despite the original posters claim, you don't have to pay for BIND patches) you can keep your network secure.
        
        A
    - Re:90% of the internet is valnerable ... (Score:2)
      
      by asdfghjklqwertyuiop ( 649296 ) writes:
      
      Incorrect, it is open source.
      
      Incorrect, it is not open source. You cannot distribute modified versions. And 'modified versions' in his case means so much as having the binaries installed in a different location than they would be by building and installing his source distribution... among other things. You can only redistribute a djbdns package if the effects of installing your package on a system are exactly the same as the effects of installing his official source distribution.
      
      Because of it not being
    - Re:90% of the internet is valnerable ... (Score:2)
      
      by Dwonis ( 52652 ) * writes:
      
      Incorrect, it is open source. It isn't GPL. There's a big difference.
      Yes, there is a big difference, and djbdns is not Open Source. It violates points #3 and #4 of the Open Source Definition [opensource.org]. (It also doesn't comply with the DFSG [debian.org] which is why Debian has it in non-free.)
      I quote:
      3. Derived Works
      The license must allow modifications and derived works, and must allow them to be distributed under the same terms as the license of the original software.
      4. Integrity of The Author's Source Code
      The l
    - Re:90% of the internet is valnerable ... (Score:2)
      
      by mcrbids ( 148650 ) writes:
      
      Get real. djbdns' source is 100% available for you to look at and patch to your hearts content. If you find an error, send a fix to DJB and he'll add it after review.
      
      "Available Source" !== "Free Software".
      
      You can't redistribute changed, patched DJBDNS. You can't fork it if you figure something requires a fundamental change in design philosophy. You cannot distribute binaries. DJB release a new version every millenium or so - so when you set up Qmail or DJBDNS, you spend a week applying patches and testi
    - Re:90% of the internet is valnerable ... (Score:2)
      
      by Shadowlore ( 10860 ) writes:
      
      You can even make an autopatch program that will patch djbdns during make so that dumb users can handle the process
      
      Assuming that people have compilers, make, etc. on their production servers ... but you did say "dumb users". ;)
    - DJBDNS is not Open Source (Score:2)
      
      by Paul Crowley ( 837 ) writes:
      
      Please read at least the first line of the Open Source Definition [opensource.org]:
      
      Open source doesn't just mean access to the source code.
      
      Note that opensource.org invented the term "open source" - it was not in use to describe software until they had that meeting where they invented the term - so they certainly get to say what it means.
      
      DJBDNS is "disclosed source". Big difference.
    - True Alternative (Score:2)
      
      by Pan T. Hose ( 707794 ) writes:
      
      Until a true open source alternative to BIND appears, we're stuck with it.
      
      By "true alternative" do you mean it has to be GPLable?
      
      Not necessarily. Being distributable wouln't hurt, though. Being compatible with the DNS standard would also be a plus. Don't get me wrong, I am all for alternatives to BIND, but djbdns cannot even be distributed as a simple rpm or deb package not messing the whole bloody filesystem, for God's sake.
      If you want a name server with such a strong emphasis on security
  - Re:90% of the internet is valnerable ... (Score:2, Insightful)
    
    by Korth ( 50341 ) writes:
    
    Take a look at PowerDNS
    http://www.powerdns.com/products/powerdn s/

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Network Attacks Via DNS More Login

Network Attacks Via DNS

90% of the internet is valnerable ... (Score:4, Interesting)

Re:90% of the internet is valnerable ... (Score:3, Interesting)

Irrelevant^2 (Score:5, Insightful)

Not only irrelevant—it's utterly laughable (Score:2)

That is completely irrelevant (Score:2)

Re:90% of the internet is valnerable ... (Score:4, Informative)

Re:90% of the internet is valnerable ... (Score:2, Informative)

Re:90% of the internet is valnerable ... (Score:2)

Re:90% of the internet is valnerable ... (Score:4, Insightful)

Re:90% of the internet is valnerable ... (Score:1)

Re:90% of the internet is valnerable ... (Score:1)

Re:90% of the internet is valnerable ... (Score:2)

$500 is nothing. (Score:2, Informative)

Re:$500 is nothing. (Score:2)

So? (Score:2)

Re:So? (Score:2)

Re:$500 is nothing. (Score:1)

Re:90% of the internet is valnerable ... (Score:2)

Re:90% of the internet is valnerable ... (Score:2)

Wrong (Score:2)

Re:Wrong (Score:2)

“Open Source” and “Free Software (Score:2)

Re:90% of the internet is valnerable ... (Score:2)

Re:90% of the internet is valnerable ... (Score:2)

Re:90% of the internet is valnerable ... (Score:2)

Re:90% of the internet is valnerable ... (Score:2)

Re:90% of the internet is valnerable ... (Score:2)

DJBDNS is not Open Source (Score:2)

True Alternative (Score:2)

Re:90% of the internet is valnerable ... (Score:2, Insightful)