the secure:channel

Click here to read more about SpamStopsHere, the e-mail security company that brings you this blog.

A couple of weeks ago I wrote an article on a domain name system cache poisoning vulnerability that Dan Kaminsky was researching and that he is going to discuss at the Black Hat security conference in a couple of days. There were many rumors about what it might be, and at least part of the vulnerability was leaked before then. The information that was leaked indicates that it’s really just a new attack methodology against an existing vulnerability that I discussed in my previous article. DNS’s typically connectionless protocol is vulnerable to spoofed reply packets, especially if the attacker can make queries against your DNS service and then flood it with forged responses. There may be additional attack methods revealed at the conference.

I had thought that I read somewhere that the new attack methodology was even effective against private recursive DNS servers, such as ones running on local networks that only provide recursion for local users. If the leaks are true, then that isn’t necessarily the case. So far the information that has been released indicates that the new attack methodology uses random hostnames at a target domain to increase the chance of getting a transaction ID correct, and then the attack piggy backs a response for the target hostname in the forged response. This is a pretty clever way to exploit a weak transaction ID vulnerability.

Someone at CAU released exploit code to the public that uses this new attack methodology. A lot of people were (hopefully) scrambling to update their public recursive DNS servers, as they were suddenly very vulnerable to this published exploit. Although the exploit still only works on public recursive DNS servers, this is pretty frightening for the general public. Most Internet users are unfortunately using their Internet service providers’s public recursive DNS servers. I have to question why.

When one goes to the Web site of one’s bank, one wants to be sure that the mnemonic name that was typed into the web browser’s address bar actually resolves to the bank’s numeric Internet address. This is one of the most important fundamental parts of Internet security. However, most Internet users are using untrusted recursive DNS servers to resolve Internet addresses. Even excluding this new DNS vulnerability, millions of Internet users are blindly using the recursive DNS servers that are assigned by their ISP. Has anyone’s ISP ever claimed to be providing secure, private, or even reliable DNS service included with the Internet connectivity package being offered?

Worse yet, are the users that have problems with the reliability of their ISP’s recursive DNS servers, so they just find some recursive DNS servers that provide public service, and blindly use them. For example, the DNS servers at 4.2.2.1, 4.2.2.2, and 4.2.2.3 are often recommended by dangeriously ignorant do-gooders to people who are having problems using their own ISP’s recursive DNS servers. No one seems to actually know who runs these DNS servers, but only that they’re hosted on some Level3 IP address space. Some Internet users who were aware of the recent DNS cache posioning security issues even took note that these unknown nameservers were vulnerable, and later that they are now “safe” because they have been patched. Were they ever safe? We still don’t know who owns the servers. Should one continue to trust some anonymous stranger to address Internet traffic to one’s banking web site, simply because the location where the stranger wants the traffic to go is now better assured?

Businesses with their own substantial private network infrastructure and competent network administrators should consider setting up their up their own recursive DNS servers. It’s difficult to trust a third party’s idea of the domain name system more than one’s own tightly controlled service. However, if a business doesn’t have competent administrators to implement and maintain this, it might actually be safer to find a third party DNS provider that can be trusted and that is properly maintained. Additionally, the larger cache of a public recursive caching DNS server can speed up Internet addressing of traffic. I would recommend one of the two following providers instead of using an ISP’s assigned recursive DNS servers.

ifirefly

In January of this year, after being frustrated that there were no trusted recursive DNS servers that offered service free to the public, ifirefly set up its own self-funded servers as an open project to help home Internet users and small businesses get the DNS security and privacy that they were lacking. The free recursive caching DNS servers are open to the public with no registration required. The providers of the service offer a commitment to security, privacy, and reliability.

OpenDNS

In 2006, David Ulevitch started OpenDNS, which is an advertising funded DNS service. It offers free recursive DNS servers, with optional registration for additional features such as DNS filtering for basic protection and typo correction. The commercial service is funded by showing the users ads instead of negative results for some DNS names.

Take a look to see what recursive DNS servers you’re using today. If you’re using a Windows computer, you can open a command prompt (Start -> Programs -> Accessories -> Command Prompt). After the command prompt window opens, type the following command in the window at the blinking cursor:

ipconfig /all

Look at the results of the DNS Servers line. Do you know what these servers are, or who maintains them? Has the DNS service provider promised you anything in the way of security or privacy when resolving names to numeric Internet addresses? If not, please do something about it today. When you try to visit your bank’s web site, make sure that your information is at least destined for the correct Internet address. The alternative method for DNS security is to only use the numeric Internet addresses. It’s a bit harder to remember those numbers, though.