Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Researcher Kaminsky Pushes DNS Patching

Posted by samzenpus on from the protect-ya-neck dept.

BobB-nw writes "Dan Kaminsky, who for years was ambivalent about securing DNS, has become an ardent supporter of DNS Security Extensions. Speaking at the Black Hat DC 2009 conference Thursday, the prominent security researcher told the audience that the lack of DNS security not only makes the Internet vulnerable, but is also crippling the scalability of important security technologies. 'DNS is pretty much our only way to scale systems across organizational boundaries, and because it is insecure it's infecting everything else that uses' DNS, the fundamental Internet protocol that provides an IP address for a given domain name, said Kaminsky, director of penetration testing at IOActive. 'The only group that has actually avoided DNS because it's insecure are security technologies, and therefore those technologies aren't scaling.'"

5 of 57 comments (clear)

  1. Job title by psnyder · · Score: 5, Funny

    I'd love to have the title "Director of Penetration Testing", but can only think of 2 types of jobs where the title is appropriate. And I don't have the stamina for either.

  2. Who is Dan Kaminsky by phantomfive · · Score: 5, Informative

    In case anyone was wondering who Dan Kaminsky is, besides being the one who discovered the recent DNS vulnerability, he also did research regarding the Sony rootkit. His picture is available online, and he looks like a regular decent guy, for whatever that's worth. He's written some sort of port scanner called scanrand, and started a company called Doxpara Research.

    --
    Qxe4
    1. Re:Who is Dan Kaminsky by gavron · · Score: 5, Informative
      I think you're confusing Dan with Mark Russinovich -- they guy who discovered the Sony rootkit.

      http://blogs.technet.com/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx

      E

    2. Re:Who is Dan Kaminsky by ascari · · Score: 5, Funny

      It's a DNS error: Mark Russinovich and Dan Kaminsky resolve to the same person.

  3. Bad Article, Bad Summary by Wowlapalooza · · Score: 5, Interesting

    Kaminsky supports patching existing nameservers (to increase query source-port entropy and thus make the so-called "Kaminsky" attack far less likely to succeed).

    He also supports DNSSEC as the long-term solution to the whole class of vulnerabilities.

    But these are not the same thing.

    Patching DNS servers is done to the nameserver programs, DNSSEC is done to the nameserver configurations and to the DNS data itself.

    The article, and Slashdot's summary of it, mixes up the two in an unfortunate salad. Very disappointing indeed.