DNS: A flaw in the root of all evil?

The entire world runs on DNS.

While that is not true, the Internet does, and without it the entire infrastructure would screech to a deafening halt.  In short, DNS (or Domain Naming System) is the directory service that lets us use friendly(ish) names to remember sites, such as garvis.ca/blogs, rather than having to remember http://209.97.218.133/mitchgarvis/blogs.  The best analogy is a phone book where we can look up Mitch Garvis which will then produce a phone number that corresponds to my name.  (This is the Forward Lookup… a Reverse Lookup would be like a Red Book where you could look up the phone number and find the name that corresponds to it).

While there are plenty of companies that provide DNS servers and services, DNS itself is not a product, rather it is a protocol on which providers build.

While the majority of people do not understand the first thing about DNS, they unknowingly benefit from it every day, and most of us have been doing so to a greater or lesser degree since the mid-nineties.  It is a basic infrastructure service like plumbing or phones that we likely do not think about very often… so imagine how shaken you would be to find out that one of those had an inherent security flaw that could compromise entire segments of one of those… say, take over every phone number in an area code.

Such a vulnerability apparently was found earlier this year by Dan Kaminsky.  Quite responsibly he did not keep it to himself, but he also did not make it public.  Instead he contacted organizations such as Microsoft and the Computer Emergency Response Team (a division of the U.S. Department of Homeland Security), and in March a group of engineers from the major DNS vendors met to coordinate a response. 

Today that response was announced, and patches have been released simultaneously for computers by all of these vendors.  Chances are you are using a version of Windows or Mac OS that will automatically download the patch, but server administrators should make sure that their servers are compliant.

According to Securosis.com (which has been a major source of my information on this issue): "There is absolutely no reason to panic; there is no evidence of current malicious activity using this flaw, but it is important everyone follow their vendor’s guidelines to protect themselves and their organizations."

DNS is a system of distributed databases that contain the information about sites on the Internet, as well as resources within corporate networks.  It was invented in 1983 by Dr. Paul Mockapetris, who published RFCs 882 and 883 while at the Information Sciences Institute (ISI) of the University of Southern California.  Prior to DNS there was a single table on a single host that handled address translations for the entire ARPAnet (the precursor to today's Internet).

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>