Massive DNS security problem endangers the internet

GO TO ADMIN PANEL > ADD-ONS AND INSTALL VERTIFORO SIDEBAR TO SEE FORUMS AND SIDEBAR

vbt

Staff member
Joined
Dec 16, 2001
Messages
5,185
Points
63
Age
42
US-CERT and other security experts have warned of a critical design problem affecting all DNS implementations. The Domain Name Service is responsible for converting readable names like www.heise-online.co.uk into the IP addresses that computers can handle, such as 193.99.144.85. DNS is thus the internet equivalent to a phonebook and without it, nothing works. Anyone who takes control of it can control the internet.


In order to avoid repeating name resolution for every network connection, many systems store the results in a cache for a certain length of time. If an attacker succeeded in slipping false addresses into such a cache, he could divert any network connections to systems under his control. That would open up the possibility of enormous phishing campaigns and the large-scale theft of passwords, credit-card data, and even access data for online banking.


The fundamental problem with the DNS is that the responses to queries can, in principle, be faked. For that reason, current systems use a randomly selected 16-bit transaction ID for each query. If the answer also contains this ID it comes from the correct server, and the prospect of an attacker guessing it is negligibly small.Amit Klein, however, has already shown several times how implementation errors, say in the random-number generator used, can be exploited to enable DNS cache poisoning.

Source : http://www.heise-online.co.uk/news/Massive-DNS-security-problem-endangers-the-internet--/111070
 

ExCyber

Staff member
Joined
Aug 8, 2001
Messages
4,014
Points
36
Age
37
The article is inconsistent with the CERT report. The article says "all DNS implementations", but the CERT report explicitly lists several vendors as "Not Vulnerable". The author of one of those "Not Vulnerable" implementations is not thrilled with DNSSEC as a solution to forgery problems in general, either.
 
Top