There have been enough clues over the last few years that the global DNS system as used in its current form, is particularly frail and subject to simple attacks. Yet the main commercial protagonists piggy-backing onto this system, have remained almost spectacularly silent on the issue and there seems to be little impetus to change things. Similar […]
It looks like DNSSEC is breing implemented at the root level world-wide. Almost 2 years after the first country level signing ( .se for Sweden ), the K-, D- and E-root servers operated by RIPE, University of Maryland and NASA respectively, started root signing this week past. 7 of the 13 root servers now supply […]
I thought yesterday’s article ( well it actually reads like an advertorial ) on ZDNet UK regarding Bind and Niminum’s new Skye offering, was a joke. Then I realised that no, it wasn’t. But why would the ZDNet author, Toby Wolpe, start with such an inflammatory header? Is he actually looking to be flamed and […]
.. has always been a hot topic, considering that it is the cornerstone of the Internet. Without DNS or with a broken DNS, the Internet stops working ( correctly ) so it’s important that this building block is always in top shape, something that has been lacking from time to time. Considering it’s age and […]
This time the security issue is with BIND 9 specifically and not DNS in general as Dan Kaminsky’s fabled cache poisoning issue from last year. Receipt of a specially-crafted dynamic update message to a zone for which the server is the master may cause BIND 9 servers to exit. Slaves are unaffected however. Patches are […]
Besides SPR ( source port randomisation ), Nominum have a number of other security options built into their Vantio DNS product: SPR defense: strange queries result in a direct connection to the server resistance: tries not to give out ip’s for name servers ( glue records ) warns ISP of attack So, interesting options from […]
Ben Laurie of Google’s Applied Security team, while working with an external researcher, Dr. Richard Clayton of the Computer Laboratory, Cambridge University, found that various OpenID Providers (OPs) had TLS Server Certificates that used weak keys, as a result of the Debian Predictable Random Number Generator (CVE-2008-0166). In combination with the DNS Cache Poisoning issue […]
Dan Kaminsky gave a very interesting talk on the recent DNS issues as part of the Black Hat USA 2008 conference currently on the go in Las Vegas. Originally DJ Bernstein had advocated ( and put into DJBDNS ) source port randomisation as part of the DNS request but no one else had as they […]
Dan Kaminsky previewed information relating to possibly the worst DNS-related exploit ever, earlier this month. The issue is a cache poisoning vulnerability and can result in DNS answers containing fiddled information. This is actually a general design issue more than any vendor-specific issue. Imagine entering a url in your browser and been taken to another […]
