Home » Data Protection » Application Security

News

The Internet Gets Patched: DNS Bug Fixed

Security researcher Dan Kaminsky has discovered a flaw in the DNS protocol that allows attackers to spoof Internet addresses

By Robert McMillan, IDG News Service (San Francisco Bureau)

Page 2

Kaminsky's bug has to do with the way DNS clients and servers obtain information from other DNS servers on the Internet. When the DNS software does not know the numerical IP (Internet Protocol) address of a computer, it asks another DNS server for this information. With cache poisoning, the attacker tricks the DNS software into believing that legitimate domains, such as Bofa.com, map to malicious IP addresses.

Security researchers have known about ways to launch these cache poisoning attacks against DNS servers for some time now, but typically these attacks require that attackers send a lot of data to the DNS server they are trying to infect, which makes the attacks easier to detect and block. However, Kaminsky discovered a far more effective way to launch a successful attack.

Because Kaminsky's flaw lies in the design of DNS itself, there is no easy way to fix it, Damas said. Instead, companies like ISC have added a new security measure to their software that makes it harder for cache poisoning to work.

In the long run, however, the most effective way to deal with cache poisoning will be to adopt a more secure version of DNS, called DNSSEC said Danny McPherson, chief research officer with Arbor Networks. Tuesday's fix is basically "a hack that makes it a lot more difficult," he said. "But it doesn't fix the root problem."

Kaminsky says he will give network administrators a month to patch their software before revealing more technical details on the flaw at next month's Black Hat conference in Las Vegas. In the meantime, he has posted code on his Web site that allows users to see if their corporate or ISP's DNS server has been patched.