Friday, August 15, 2008

DNS Security, Part 3

Is there no end to the DNS security flaw? I've written about it here and here.

We all hoped that the technique that Dan Kaminsky described would put this to rest.

Apparently we were wrong.

The Register reported that a Russian researcher had demonstrated DNS cache poisoning on a freshly patched DNS server. It did take him 10 hours with a dedicated gigabit connection to the server but he did poison it.

Even Dan had to respond.

I read that when he posted it but I kinda glazed over after a while.

Then Steve Gibson revisited the DNS vulnerability in his last podcast. (I gotta quit listening to Steve.) You can read it here.

Steve refers to the "0x20 hack." If you hadn't falling asleep reading Dan's post, you would have seen that he did too.

I found the ITEF RFC that describes this technique. Sure cure for insomnia. Suffice it to say it has to do with using mixed case in the domain name being queried.

Let me net it out for me and you both.

Prior to this summer's patches, DNS had as low as 1 in 32,769 possibilities to be compromised. After the patches, the odds were 1 in 4,294,967,296 (according to Dan).

The 0x20 hack makes this 1 in billions and billions. Yeah, there are some edge cases that Dan covers but it's way better.

And this seems relatively easy to implement. I expect it'll slip in in a future round of patches and we'll be done with this until ... DNSSEC.

Stay tuned.

No comments: