ICANN is raising awareness of a recently discovered vulnerability in the domain name system (DNS). This includes releasing an FAQ and an online tool for domain operators to test their domains.
Due to the distributed nature of the DNS, no one organization can implement a fix for this vulnerability. It requires the cooperation of all name server operators and DNS software vendors. However, ICANN sees an important goal in spreading awareness of the need to update Internet infrastructure to cope with the threat. The organization has been undertaking significant outreach efforts to top-level domain operators to advise them on the issue. It has also prepared an FAQ and online domain testing tool to raise awareness of the problem, and to encourage network operators to rectify or update their servers.
Summary of Cache Poisoning Issue
Security researcher Dan Kaminsky recently discovered a design
flaw in the fundamental DNS protocol. While it is not possible
to fully fix this flaw, there are ways to improve resistance to
it. This involves system administrators patching or
reconfiguring their DNS servers.
The vulnerability affects what are called “recursive” name
servers, typically installed at ISPs and corporate network
gateways to assist DNS lookups and cache results for faster
lookups, rather than the type of name servers used by domain
registries which are “authoritative” name servers.
However, name servers can be configured to perform both
“recursive” and “authoritative” functions from the same machine,
and by doing so the susceptible recursive function can cause
security risks for the authoritative function.
For domain operators
For operators of domain names, this vulnerability can be used to
affect the contents of their zone if their authorities also
provide recursive name service. To detect whether a particular
zone is vulnerable, ICANN has produced a tool that can check a
particular domain:
Domain operators should look to ensuring that all of the
authoritative name servers for their domain are separated from
any recursive name servers to avoid being impacted by cache
poisoning attacks.
ICANN has also produced a set of question and answers on this
topic for domain operators, which is available at:
http://www.iana.org/reports/2008/cross-pollination-faq.html
For Internet users
For most users it is important to ensure the DNS servers their
computer uses to look up domains has been patched to enable
“source port randomization”. To check if this change has been
made by your Internet provider one can go to an online testing
tool provided by the DNS Operations, Analysis and Research
Center at:
https://www.dns-oarc.net/oarc/services/dnsentropy
To be guarded against the vulnerability, the test result should
return as “Great”. If you do not get such a result your should
talk to your network administrator (typically your ISP, or your
company’s IT department) and advise them to update their
recursive name servers.
[Source:http://www.icann.org/en/announcements/announcement-06aug08-en.htm
An Illustrated Guide to the Kaminsky DNS Vulnerability
http://www.unixwiz.net/techtips/iguide-kaminsky…
The big security news of Summer 2008 has been Dan Kaminsky's discovery of a
serious vulnerability in DNS. This vulnerability could allow an attacker to
redirect network clients to alternate servers of his own choosing,
presumably for ill ends.
This all led to a mad dash to patch DNS servers worldwide, and though there
have been many writeups of just how the vulnerability manifests itself, we
felt the need for one in far more detail. Hence, one of our Illustrated
Guides.
This paper covers how DNS works: first at a high level, then by picking
apart an individual packet exchange field by field. Next, we'll use this
knowledge to see how weaknesses in common implementations can lead to cache
poisoning.
By fully understanding the issues at play, the reader may be better equipped
to mitigate the risks in his or her own environment.