New Major DNS Flaw Uncovered

A recent discovery by security researchers has found a major vulnerability in the domain name system (DNS) that is likely to cause large-scale Internet-wide problems if the flaw in not immediately fixed. Most vendors are working together to develop a large-scale coordinated patch to fix this vulnerability.

Focal Points:

• Dan Kaminsky, a leading security researcher, has worked with the United States Computer Emergency Readiness Team (US-CERT) to coordinate an industry-wide patch of a major DNS Flaw. Kaminsky stated that the flaw was significant and should immediately be patched by everyone with a DNS server. Most every company has its own DNS server, as well as participating in major Internet-based DNS services. There are over 80 hardware and software vendors that are working with Kaminsky to fix this problem. Kaminsky is planning to discuss his findings at the upcoming Black Hat Security Conference in the beginning of August.
• DNS is the service that translates a well known server name (such as www.google.com) into an Internet Protocol (IP) address that can be used by machines to route traffic to the appropriate server. One of the things that make this bug so dangerous is that there have been many discussions on various blogs and Internet sites on how to exploit this vulnerability. This particular bug is know as DNS cache poisoning, which allows hackers to take the infected server and changed the resolved well known names to bogus IP addresses. This can enable malicious users to then either infect or pull information off of the computers that have been routed to their bogus sites. The exploit does not affect all DNS servers, just the ones that use recursive DNS to provide domain information. Large authoritative Internet DNS servers, such as those at GoDaddy.com, Inc. and VeriSign, Inc., are not vulnerable to exploit.
• While many of the researchers that initially guessed publicly on how to exploit this bug have taken their postings off of the Internet, once the information is initially posted publicly it is almost impossible to completely eliminate its existence. For this reason, it is critical that IT executives ensure that any vulnerable servers that they have running DNS are immediately patched. Kaminsky has already verified that there have been valid attacks already discovered on the Internet that exploit this vulnerability. This attack is already available from Metasploit, a framework that makes is very easy for people with little expertise to try and execute this exploit.

Experton Group believes security managers must make IT and company executives aware of this vulnerability and immediately take actions to fix any vulnerable servers. This best ultimate solution to this vulnerability is to implement DNS Security Extensions (DNSSEC), which is a security extension to DNS that allows it to ensure the authenticity of DNS information. IT executives should make sure all vendor patches related to DNS are put in place, followed by ultimately adding DNSSEC to DNS services.