Securing DNS From The Roots Up

jeffy124 writes: "This article at ComputerWorld tells the story of how ICANN would like to replace the root DNS systems with secured servers. Lars-Johan Liman, one of the root operators, spoke about the concept at ICANN's annual meeting today. He discussed how the world's current redundant DNS system is vulnerable to DDOS attacks and yet-to-be-discovered root holes in bind that can ultimately undermine the entire Internet by taking away the name-IP mappings that are relied upon by just about everyone."

News flash!

[Teancom]

Bind may be vulnerable to security exploits! Sendmail may *not* be as secure as qmail! Walking through harlem with $100 bills hanging out of your pockets isn't smart! Sky is blue!

Some people just never get the news....

DNS Solution

Just deploy Windows 2000 DDNS + Active Directory + Windows 2000 Kerb5 on the internet.

This will weed out all those unix crackers anyway.

My entire world is running amok

[Tsar]

The Internet is depending on unsecured servers for DNS? Now how am I going to sleep at night? Next you'll be telling me the earth isn't sitting snugly atop a giant turtle! Is nothing certain any more?

Good thing ICANN is in charge....

[reaper20]

otherwise, someone might actually implement this while its still useful ....

In other news, the ICANN today approved the use of 'electricity' on the Internet.....

DNS? Ha!

[tang]

Real men surf the net using ip addresses. (And NOT in base 10)

Re:DNS? Ha!

[tang]

Hyperlink? That is just taking the easy way out.

Re:DNS? Ha!

[Russ+Steffen]

Real men don't need no wussy ethernet cards either. A voltmeter and battery is all you need.

No problem!

[DahGhostfacedFiddlah]

As long as no one opens their mouth about possible security leaks, we'll be safe.

Starting to back it up.

[miguel]

This time I will be prepared.

I am downloading as we speak all the DNS records in the planet into my /etc/hosts file so I can be immune to the attacks

I encourage others to do the same.

It has to be said

[niekze]

ICANN would like to replace the root DNS systems with secured servers.

Ok, how long before someone at ICANN suggests that the servers should maintain domain to ip mappings in static files. Something like a file called hosts and that could be stored in /etc. Then, a patent would be granted for "a static internet address to domain name mapping system" and "a static domain name to internet address system"

Sorry, I'm just in a sarcastic mood given the fact that they actually use bind. Does anyone find that a little scary?

I know it's been brought up here on /. before, but there are many people who run their own DNS roots, underground dns if you will. Anyone have any links?

Want to solve all the BIND security problems???

[evilviper]

The answer is simple, just ask the author of IPF how he did it...

Change the BIND license to make it much more restrictive, then sit back as the OpenBSD developers build their own simpler, better, more stable, and much more secure, replacement.

SSH.
IPF.
BIND?

/etc/hosts!!!

[chrysalis]

100 Gb hard disks are cheap nowadays, and almost all OS support > 2Gb files. So securing the DNS from the roots up is simple : have a local /etc/hosts file with all existing hosts.
Then, subscribe to a mailing list that sends daily changes, so that you can keep your /etc/hosts file up to date.
Ehm... yeah. You first have to secure mail to do this.

Re:/etc/hosts!!!

[sharkey]

You first have to secure mail to do this.

Actually, using secure mail would get tiresome, don't you think? What is needed is a mail user agent that will simply take the incoming mail, run it as root, and modify/add whatever files neccesary without admin or user intervention. Now THAT would be a time-saver, huh?