News Stay informed about the latest enterprise technology news and product updates.

Kaminsky: DNS issue still major threat

Dan Kaminsky, discoverer of a severe DNS vulnerability, says there are a number of complicated systems still vulnerable to attack.

SAN DIEGO--Although nearly three-quarters of the vulnerable servers have been patched against the severe domain name server (DNS) vulnerability that he found earlier this year, Dan Kaminsky said that the issue still poses a significant threat to the security of the Internet, especially when viewed in the context of other flaws attackers could use to amplify its severity.

There are a lot of very complicated systems out there that are broken, and that are broken by design.
Dan Kaminsky,
director of penetration testingIOActive Inc.

Speaking at the ToorCon conference Saturday, Kaminsky said that the interconnected nature of the DNS system and its use in a variety of functions, aside from simple name lookups, makes it critical for all DNS servers to be secured. The domain name system, which converts names such as into the IP addresses that servers understand, is also used for a number of other tasks, including MX record lookups.

"The thing you have to understand is that protocols don't exist in isolation," Kaminsky said. "Everything you do on the DNS system can be used against you. There's a trade-off for every action. We have to secure all of the name servers, not just most of them."

DNS issues:
DNS flaw handling leaves Kaminsky pleased: Network security researcher, Dan Kaminsky sheds light on how he discovered the DNS cache poisoning flaw.

Kaminsky: DNS flaw capable of attacks on many fronts: Black Hat: Security researcher Dan Kaminsky outlined more than a dozen ways the DNS cache poisoning flaw could be exploited by an attacker to wreak havoc on vulnerable systems.

Noted reverse engineer outs DNS flaw details. Some researchers say the attack could be carried out in 10 seconds. Flaw discoverer, Dan Kaminsky urges immediate patching.

Kaminksy said that the large number of known problems in various authentication systems on the Internet makes the DNS bug that much more serious. An attacker who is able to spoof a name server can then use that position as a launching pad for other operations, including a variety of man-in-the-middle attacks. The attacker also can use the DNS vulnerability in conjunction with other flaws to make inroads into vulnerable networks.

"We're seeing bugs combined very effectively out there," Kaminsky said. "There are a lot of very complicated systems out there that are broken, and that are broken by design."

Pointing to recent discoveries of vulnerabilities or architectural problems with the Debian Linux distribution, the OpenID identity management platform and other systems, Kaminsky stressed the way in which these problems could be used in a cascading manner by an attacker. Someone who is able to impersonate a specific name server could, for example, apply for an SSL certificate for a third-party website. Certificate authorities typically perform a domain validation process before issuing a certificate, but that process would be compromised by the attacker's ability to spoof the domain's name server. The validation process usually involves looking up the owner of the name server in the DNS records and sending an email to the administrative contact at that domain, both of which would be in the attacker's control.

"We're failing to have any idea who we're talking to on these networks," Kaminsky said. "Yes, we have ugly, ugly stuff out there."

Dig Deeper on Network device security: Appliances, firewalls and switches

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.