Slashdot Mirror

← Back to Stories (view on slashdot.org)

Network Attacks Via DNS

Posted by timothy on from the operator-please dept.

Iphtashu Fitz writes "Without DNS the internet wouldn't be all that useful. Despite being a ubiquitous part of the internet it is overlooked by many as a potential security hole. At this weekends Defcon 12 conference in Las Vegas, security researcher Dan Kaminsky warned that DNS can open up seemingly secure networks to attack. Because most firewalls and other security devices treat DNS requests as harmless it provides an excellent conduit for transferring covert data in and out of otherwise protected systems. At Defcon, Kaminsky demonstrated some software that allows a server to act as a communications hub using DNS. This let him transmit instant messages and even audio streams over an encrypted connection carried by spoofed DNS requests."

"Because the data looked like typical DNS traffic it wouldn't be detected or logged by firewalls or intrusion detection systems. He also pointed out that monitoring DNS could help in other unrelated ways: because the recent MSBlast worm did lookups on windowsupdate.com infected machines could have been detected by simply monitoring DNS server logs."

5 of 147 comments (clear)

  1. Suspicious? by timgoh0 · · Score: 3, Insightful

    Wouldn't large amounts of DNS traffic look suspicious? Especially if they originated from one machine.

  2. Irrelevant^2 by warrax_666 · · Score: 4, Insightful
    The $500 security guarantee is utterly irrelevant. (Btw: Who gets to judge what is a security problem? That's right, DJB himself. If that doesn't tell you something, then you're not the sharpest tool in the shed).

    The $500 correpsonds to less than 50 hours at $10 an hour (being extremely generous with the hourly wages here, in favour of the "gaurantee"). Do you think anyone can audit the djbdns source code -- even ignoring the fact that it's largely uncommented and messy (#define, what's that?) -- in 50 hours? No, I didn't think so.


    BIND is open source, but that doesn't make it safe and secure. it's probobly more insecure just because of that.

    BIND may be Open Source (note capitalization) while djbdns isn't. That doesn't mean you can't get source for djbdns. In fact it's probably easier to get source than binaries for djbdns because of the unbelievably stupid djbdns license.

    So they are both equally "insecure" from that perspective.
    --
    HAND.
  3. Cheating Wireless networks by technothrasher · · Score: 5, Insightful
    I've noticed in the past that many of the public wireless networks that want you to pay to use allow DNS traffic to flow even before you've paid. I've often thought that'd you could use that to build a tunnel and not have to pay for service.

    Mind you, I've never done it because it would be kind of rotten, but it did cross my mind.

  4. Re:90% of the internet is valnerable ... by johnnyb · · Score: 3, Insightful

    "Now, if he doesn't like your patch, you can post the patch on the internet. You can even put it alongside the source. You can even make an autopatch program that will patch djbdns during make so that dumb users can handle the process"

    Can you make binaries of your new program and distribute them? If not, I can't see how you call this open-source. It cuts off all of the distributors from carrying patched versions that work with their own distribution, instead of whatever way that djb wants.

    --
    Engineering and the Ultimate
  5. Harmless? by jjeffrey · · Score: 5, Insightful

    I don't think that networks allow DNS because it is harmless, but because it is necessary, that's an important distinction.