title: This is just how DNS works. link: https://onemoretech.wordpress.com/2008/08/15/this-is-just-how-dns-works/ author: lembobro description: post_id: 473 created: 2008/08/15 21:57:43 created_gmt: 2008/08/15 21:57:43 comment_status: open post_name: this-is-just-how-dns-works status: publish post_type: post

This is just how DNS works.

DNS is a hierarchy, and you have to be able to traverse the hierarchy… This is not an implementation bug, this is just how fundamentally DNS works. And it’s how it’s always had to work.

Dan Kaminsky, speaking on Black Hat Webcast #2, 24 July 2008.

Dan Kaminsky’s discovery of the fatal flaw in the infrastructure of today’s Internet, and continuing efforts to get a stopgap patch in place, has faded from the front pages for now. But given the nature of the threat, and the slow adoption of the present fix, it may come roaring back to the public’s attention as the script kiddies and more professional malefactors begin to take advantage of it to hijack connections to financial institutions, online shops and the routing of both business and personal e-mail.

So far discussions of the problem have been at best “high level”, meaning uselessly nontechnical, or shrouded in vague generalities apparently intended to throw off the bad guys.

For a really good discussion at a useful level of detail, take a look at this article by Steve Friedl at Unixwiz.net:

An Illustrated Guide to the Kaminsky DNS Vulnerability

This piece, which earned a link on Dan’s personal blog, should be required reading for anyone involved in Internet or intranet systems administration.

My vote for most critical quote on this critical issue comes from Dan’s webcast for Blackhat.

How much trouble are we in? Guys, we’re in a lot of trouble. This attack is very good. This attack is being weaponized out in the field. We provide Internet access. We provide access between companies. We provide access between networks. We provide access between people. That access that we provide is not necessarily going to be ours anymore. I don’t know what Internet we’re going to be providing, but it’s not going to be the one we sold.

In a word. Patch for it. Patch for it now.

Some DNS and Bind resources to bookmark for future use:

Cricket Liu’s Infoblox DNS Best Practices

Bind9.net

Just a personal note here from one busy sysadmin. For all the work involved in managing yum updates on my own CentOS servers running the standard distribution BIND packages, it all proved worthwhile during this particular emergency. In my case all name servers were fully patched within minutes of the new rpms being made available on the mirrors. Many thanks to the folks at CentOS, and the upstream engineers at Red Hat whose hard work made that possible.

Copyright 2004-2019 Phil Lembo