August 03, 2005
DNS - The achilles heel of the Internet
CNET has a good article on the vulnerability of the Internet to DNS "cache poisoning" attacks. Turns out that more than 10% of DNS servers could already be compromised and I think its very important that ISP's and enterprises fix this problem immediately.
Full disclosure: One of my portfolio companies, Nominum, offers a variety of DNS related products some of which help solve this problem.
Some excerpts from the article include:
In a scan of 2.5 million so-called Domain Name System machines, which act as the White Pages of the Internet, security researcher Dan Kaminsky found that about 230,000 are potentially vulnerable to a threat known as DNS cache poisoning . . .
. . . In a DNS cache poisoning attack, miscreants replace the numeric addresses of popular Web sites stored on the machine with the addresses of malicious sites. The scheme redirects people to the bogus sites, where they may be asked for sensitive information or have harmful software installed on their PC. The technique can also be used to redirect e-mail, experts said.
. . . The vulnerable servers run the popular Berkeley Internet Name Domain software in an insecure way and should be upgraded, Kaminsky said. The systems run BIND 4 or BIND 8 and are configured to use forwarders for DNS requests--something the distributor of the software specifically warns against.
BIND is distributed free by the Internet Software Consortium. In an alert on its Web site, the ISC says that there "is a current, wide-scale...DNS cache corruption attack." All name servers used as forwarders should be upgraded to BIND 9, the group said.
As I have mentioned before in this blog, BIND is neither secure nor is it going to scale to manage the needs of the Internet. I think its important that ISP's and enterprises either upgrade to BIND 9 or do something else to protect their DNS servers.