Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Researcher Kaminsky Pushes DNS Patching

Posted by samzenpus on from the protect-ya-neck dept.

BobB-nw writes "Dan Kaminsky, who for years was ambivalent about securing DNS, has become an ardent supporter of DNS Security Extensions. Speaking at the Black Hat DC 2009 conference Thursday, the prominent security researcher told the audience that the lack of DNS security not only makes the Internet vulnerable, but is also crippling the scalability of important security technologies. 'DNS is pretty much our only way to scale systems across organizational boundaries, and because it is insecure it's infecting everything else that uses' DNS, the fundamental Internet protocol that provides an IP address for a given domain name, said Kaminsky, director of penetration testing at IOActive. 'The only group that has actually avoided DNS because it's insecure are security technologies, and therefore those technologies aren't scaling.'"

25 of 57 comments (clear)

  1. Job title by psnyder · · Score: 5, Funny

    I'd love to have the title "Director of Penetration Testing", but can only think of 2 types of jobs where the title is appropriate. And I don't have the stamina for either.

    1. Re:Job title by pushing-robot · · Score: 2, Funny

      Bombardier?

      --
      How can I believe you when you tell me what I don't want to hear?
    2. Re:Job title by Anonymous Coward · · Score: 4, Funny

      -1 Tasteless

      says someone who chose the handle Penguinshit

    3. Re:Job title by jggimi · · Score: 2, Informative

      From memory, having read Pynchon's Gravity's Rainbow in the 1970s, and not since:

      "It's colder than the nipple on a witch's tit,
      It's colder than a bucket of penguin shit,
      It's colder than a pimple on a polar bear's ass,
      And it's colder than the frost on a champagne glass."

  2. Re:One trick pony by Xiroth · · Score: 2, Interesting

    Meh, I dunno about that. He's clearly got a pretty brain for finding flaws, and he's obviously got experience in the area, so he's a perfectly good cracker resource. You can't see everything from the security side - Whites and Greys need to have their input heard too.

  3. Re:One trick pony by John+Hasler · · Score: 2, Interesting

    > I think I'll go with what Bruce Schneier and other security researchers suggest.

    Which is...

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  4. Who is Dan Kaminsky by phantomfive · · Score: 5, Informative

    In case anyone was wondering who Dan Kaminsky is, besides being the one who discovered the recent DNS vulnerability, he also did research regarding the Sony rootkit. His picture is available online, and he looks like a regular decent guy, for whatever that's worth. He's written some sort of port scanner called scanrand, and started a company called Doxpara Research.

    --
    Qxe4
    1. Re:Who is Dan Kaminsky by gavron · · Score: 5, Informative
      I think you're confusing Dan with Mark Russinovich -- they guy who discovered the Sony rootkit.

      http://blogs.technet.com/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx

      E

    2. Re:Who is Dan Kaminsky by ascari · · Score: 5, Funny

      It's a DNS error: Mark Russinovich and Dan Kaminsky resolve to the same person.

    3. Re:Who is Dan Kaminsky by mewsenews · · Score: 4, Funny

      His picture is available online, and he looks like a regular decent guy, for whatever that's worth.

      Sorry, he's not attractive enough for me to consider him a network security expert (what the hell???)

    4. Re:Who is Dan Kaminsky by MadMidnightBomber · · Score: 4, Informative

      No, Kaminsky used an interesting technique to map the spread of the Sony rootkit - http://www.securityfocus.com/news/11369

      Saying "he also did research regarding the Sony rootkit" is entirely accurate.

      --
      "It doesn't cost enough, and it makes too much sense."
  5. Why is this a problem? by Dallas+Caley · · Score: 2, Interesting

    Ok i am probably going to show my ignorance here, almost certainly, but it seems to me that this is a good thing, isn't it? Don't we want to have a secure DNS system? Or is it the case that securing the system will somehow limit our freedom or something like that?

    Yes i know this is a very generic question but i would like to know

  6. Re:One trick pony by gavron · · Score: 4, Informative
    > I don't think Schneier has published a position.

    Why think when you can actually check?

    http://tinyurl.com/dg5h7z

    ...

    See link 1, click once. Read the last two paragraphs. To me that seems like a published position.

    Click the "back" button. Read the next few links.

    Enjoy.

    E

  7. Bad Article, Bad Summary by Wowlapalooza · · Score: 5, Interesting

    Kaminsky supports patching existing nameservers (to increase query source-port entropy and thus make the so-called "Kaminsky" attack far less likely to succeed).

    He also supports DNSSEC as the long-term solution to the whole class of vulnerabilities.

    But these are not the same thing.

    Patching DNS servers is done to the nameserver programs, DNSSEC is done to the nameserver configurations and to the DNS data itself.

    The article, and Slashdot's summary of it, mixes up the two in an unfortunate salad. Very disappointing indeed.

    1. Re:Bad Article, Bad Summary by SIR_Taco · · Score: 4, Funny

      mmmmmmmmmmmmmmmm... unfortunate salad

      --
      I say don't drink and drive, you might spill your drink. Before you get behind the wheel just stop and think.
    2. Re:Bad Article, Bad Summary by gavron · · Score: 2, Informative
      Negative. It makes the transfer of information not be the loose hole in the security pipe. However if either end is compromised, a "secure transfer" of compromised information occurs.

      I don't want to bore those who are just here to increase their karma but security of DNS means both security of DATA and security of the TRANSFER of said data. The encludes AUTHENTICATION, ENCRYPTION, and secure endpoints to facilitate both without being compromised.

      E

    3. Re:Bad Article, Bad Summary by niw · · Score: 3, Informative

      AUTH=Make sure you get your data from the right sources.

      Okay.

      ENCR=make sure the data are correct.

      Huh?

      Encryption makes the information secure from snooping, which is pointless in the case of DNS as it is public information by definition.

      Signing makes sure the data has not been tampered with. Which is more or less the same as authentication.

      Sorry to disappoint you, but you can't "verify" DNS by "querying" if the original data are unprotected.

      That is the general idea of how SSL and the CA's work, only with DNS we don't really care if other people know what you are looking for, we just care that we are getting the correct response from the correct server, which requires signing of the responses, which is authentication. That is, with DNS we only really need signing of the data for transfers and queries, not encryption.

    4. Re:Bad Article, Bad Summary by Effugas · · Score: 2, Interesting

      This is true historically. However, I (this is Dan Kaminsky) think it's a mistake now. DNSSEC needs to be pushed into the nameserver's automated functionality about as deeply as possible. Administrators simply cannot be asked to maintain this data, manually resigning zones, manually keeping keys from expiring. It doesn't scale.

  8. I think you're wrong... by jonaskoelker · · Score: 2, Informative

    I think you're confusing Dan with Mark Russinovich

    I think GP isn't. It may be true that Mark discovered the rootkit, but I distinctly remember watching one of Dan's talks (at shmoocon, I think) in which he talks about him scanning udp/53 of teh w0hle intarnets and figuring out that a lot of caches knew about a name more or less only connected to the sony rootkit before Dan came and asked for it.

    Dan did some research. Not all of it, and not the first of it, but some of it.

  9. DJB discovered the "Kaminsky bug" by Ex-Linux-Fanboy · · Score: 4, Insightful

    I started to RTFA when something caught my eye: "his discovery of a significant DNS flaw -- known as the Kaminsky Bug"

    Except Kaminsky wasn't the original discoverer of this bug (or the workaround). Dr. Bernstein is. Dr. Bernstein discusses hte Kaminsky bug here; that page has been around since about late 2000.

    For the record, I am no fan of DJB. I feel he has acted unprofessional and childlike at time; his response to an announcement of my DNS server on Bugtraq being just one example of his inappropriate behavior. But, personal differences aside, I recognize he's a genius and that he's the original discoverer of this particular DNS issue.

    (I also wish DJB would own up to the remote denial of service bug DjbDNS has, but that's another issue)

    1. Re:DJB discovered the "Kaminsky bug" by gad_zuki! · · Score: 4, Informative

      djb thought potential exploits would appear without port randomization, but he didnt discover this particular flaw. Kaminsky did. As a car analogy, its like saying putting chips in keys keeps cars from being stolen, but coming up with a non-obvious hack that always starts the car without a key is its own work. Even Schneier says so:

      Kaminsky's vulnerability is a perfect example of this. Years ago, cryptographer Daniel J. Bernstein looked at DNS security and decided that Source Port Randomization was a smart design choice. That's exactly the work-around being rolled out now following Kaminsky's discovery. Bernstein didn't discover Kaminsky's attack; instead, he saw a general class of attacks and realized that this enhancement could protect against them. Consequently, the DNS program he wrote in 2000, djbdns, doesn't need to be patched; it's already immune to Kaminsky's attack.

    2. Re:DJB discovered the "Kaminsky bug" by afidel · · Score: 2, Interesting

      Oh, as we discovered after the patching for the Kaminsky bug ANY DNS server is vulnerable if it sits behind a firewall that uses static or weakly randomized source ports. This means your DNS software might could be perfectly designed but if your firewall doesn't cooperate you're still vulnerable. I don't believe any home firewall does port randomization correctly and more than a few high end ones don't either.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    3. Re:DJB discovered the "Kaminsky bug" by slash.duncan · · Score: 2, Interesting

      I think most OpenWRT/DD-WRT, etc, firewalls do srcport randomization reasonably well, at least if they're based on a reasonably new 2.4 or 2.6 kernel. There's a lot of home firewalls running those sorts of user-upgraded firmware. And there's a reasonable number of folks running a Linux/Netfilter based firewall either on their normally used computers directly, or on a dedicated firewall computer (say an old 586), too. Plus all those that went with a *BSD based firewall instead.

      Sure, by absolute numbers, there's likely a lot more running shipped or upgraded manufacturer's image firmware, but that wasn't your claim. Your claim was "any" home firewall, which without further qualification means it just takes one counterexample to disprove the claim, and I'm sure there's at least dozens if not hundreds or thousands of examples among /.ers reading this article alone.

      But if you believe Netfilter based *WRT or standard Linux firewalls on relatively recent kernels aren't sufficiently random, by all means, please provide a link to a discussion thereof ASAP, as I and I'm sure many other /.ers need to make some changes in our configs...

      --
      Duncan
      "Every nonfree program has a lord, a master,
      and if you use the program, he is your master."
      R Stallman
  10. The only group that has actually avoided DNS by citizenr · · Score: 2, Interesting

    "'The only group that has actually avoided DNS because it's insecure are security technologies, and therefore those technologies aren't scaling.'"

    Avoided? then WHAT is this: www.ioactive.com ???

    --
    Who logs in to gdm? Not I, said the duck.
    1. Re:The only group that has actually avoided DNS by Qzukk · · Score: 2, Informative

      Avoided? then WHAT is this: www.ioactive.com ???

      It's a website, not a security technology.

      If you want a security technology that uses DNS, ask for opportunistic IPSEC.

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.