You could eliminate this vulnerability by pulling all your DNS in-house, but opinion is divided on the wisdom of doing this.
Sam Curry, vice president of eTrust security management at Computer Associates, recommends it. “Typically your ISP gets DNS
information from higher up in the hierarchy, where it is much more difficult to poison the cache.” Curry argues that talking
directly to the DNS top layer reduces your exposure.
Jim Stickley, CTO and co-founder of TraceSecurity, a company that helps clients comply with strict security requirements,
agrees. “If you lock down all your servers and make sure they are only pulling off root cache servers, it is going to be very
difficult for a hacker to pharm you,” he says.
These root servers live at the top of the DNS hierarchy. “You can trust the root servers,” says Dan Golding, an analyst at
Burton Group. “There are 13, and they are all run by various governmental, educational, and commercial entities around the
world.” Moreover, VeriSign handles security for all the dot-com and dot-net root servers. Ken Silva, CSO of VeriSign, says
these have never been compromised.
The trouble with the do-it-yourself approach is that locking down DNS communications all the way to the root-level servers
means taking on a lot of responsibility. “You are stuck with all the maintenance and DNS can be very complex,” SANS Institute’s
Ullrich says.
According to Michael Hyatt, CEO and president of BlueCat Networks, DNS is a black box that many prefer not to open. “[DNS]
is arcane. Configuring BIND is not something you do with a nice GUI. You have to use an ugly, old, and unforgiving language,”
he says.
BlueCat makes the Adonis 1000, a network appliance that eases the pain of DNS configuration and management and makes it more
secure, while doing double duty as a DHCP server. “IT people should not have to mess with manual updates to BIND and kernel
configurations,” Hyatt says. “You need a simple way to propagate DNS changes throughout your network. That is one of the things
we do.”
Unbreakable DNS?
There’s an ultimate solution to DNS pharming attacks -- one that has been around for a long time. Most experts agree that
DNSSEC (DNS Security), the DNS security protocol hammered out by the IETF 10 years ago, would make DNS close to bulletproof.
“DNSSEC encrypts and signs DNS data,” Burton’s Golding says. “It turns a DNS server into a trusted entity.”
That’s the theory. Unfortunately, the practice has less appeal. “DNSSEC is horrendously complex,” Golding explains. “To make
it work, you would need to set up a trust relationship between all DNS servers from the root to the enterprise.”
This would mean implementing a PKI on a massive scale, something not likely to happen. “DNSSEC is a great concept,” SANS Institute’s
Ullrich says. “But this is not a practical solution. I tried a small-scale implementation and gave up. It is very complex.”
That leaves IT with work to do, not the least of which is getting to know DNS, which many prefer to avoid. Everyone running
a DNS server should upgrade to BIND Version 9 and check the configuration of Microsoft DNS servers to ensure that some default
mode has not opened up vulnerabilities. Those brave enough might want to bring DNS in-house, but, at the very least, enterprise
IT needs to know what sort of DNS infrastructure their ISP is running and how to hold the ISP accountable if pharming occurs.
These steps will go a long way in protecting against DNS poisoning.
The distributed structure of the Internet and the current state of DNS make it virtually impossible to stop all pharming.
But Burton’s Golding says there is no need to panic. For one thing, pharming is a difficult and expensive hack. “I think the
pharming attacks are being somewhat overhyped by the security vendors who want to sell products.”
On the other hand, complacency would be a mistake. “Pharming has not really taken off yet,” TraceSecurity’s Stickley says.
“But I think it will for a simple reason: If you look hard enough, you can almost always find a vulnerable DNS server.”
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
