DNS bug reveals the Internet's soft, chewy center

The latest DNS vulnerability shows the importance of keeping every piece of security and infrastructure software up to date -- and the very fragile state of networks that go unpatched.

You've probably been inundated with news about Dan Kaminsky's DNS cache exploit, potentially one of the biggest Internet-wide vulnerabilities ever announced. Unpatched DNS servers can be easily tricked into leading users to bogus Web sites, and literally, without patching the DNS servers (and sometimes the clients) there is little the average end-user can do. Although many Internet security experts believe this flaw is critical, but way overhyped, there is a likely chance that the crimeware industry will be working overtime to utilize this exploit.

It is so potentially damaging that Dan quietly worked with the world's biggest DNS services vendors to make sure they had patches before he went public with the exploit details at the Black Hat Conference on August 6. Even after announcing vendor patch availability, Dan had hoped to give companies and end-users many weeks to patch, or so that was the plan.

Many knowledgeable critics and DNS experts criticized Dan for not practicing full disclosure of the flaw along with the original announcement. Some speculated that they were sure he was overhyping the flaw himself. In a spirit of good faith, Dan released the details to two notable DNS experts after getting promises they would not disclose the details to anyone. Both parties reviewed Dan's exploit and stated that Dan did indeed have a new DNS bug that was critical and easy to exploit.

Unfortunately, one of those parties "unintentionally" leaked the bug early by publicly confirming another researcher's speculation. Within minutes, news went out all over the Internet, and within a few hours public exploit code began appearing. You can pick up the exploit code on more than a dozen Web sites on the Internet including at Metasploit.

If you manage DNS servers, make sure they are patched or invulnerable. Most DNS vendors have released patches, and a few DNS services, like DJBDNS, are not exploitable to begin with. Whether or not you manage DNS servers, make sure the DNS servers your computers rely on are not exploitable. To test, go to DoxPara. Click on the "Check My DNS" button and review the results. This tester was created by Dan Kaminsky, the original exploit finder (although many parties say the bug was disclosed many years ago, but obviously not in a way that produced what is occurring now). If the test reveals an unpatched server, patch it or report it to the DNS administrator.

Note: Be aware that Dan's Web site is being attacked by malicious hackers. Some DNS cache exploit programs are coded to redirect end-users from Dan's site to other bogus sites. If the hackers have successfully already exploited a DNS server you rely on, clicking on his site's link can take you somewhere else. When in doubt, check with your DNS administrator or use a known good DNS server. If you have fully patched BIND or Microsoft DNS running, and the self-resolve (versus forward) you should be in fairly good shape. Several known good DNS servers are available for public use.

But here is the real test. Several studies have shown that a significant portion of the population takes too long to patch or never patches. Dan's DNS bug will test this declaration in a way that hasn't been tested in a long time. Patches are available for nearly every popular DNS version, but how many DNS administrators will patch?

If history is to be relied upon, somewhere around 1/2 to 2/3 of DNS administrators will patch relatively quickly. Others will not patch until they are exploited, weeks to months later, and others will never patch. Why?

First, some environments don't have DNS administrators that monitor the daily security news. Although this is huge news in security circles, if you don't actively participate in those circles, you could be completely blind to the problem. Several large organizations I checked with just today were unpatched and completely unaware of this issue. Sadly, this is not unusual or surprising. It just is.

Second, in many environments, even critical security patches take weeks to deploy. These environments practice strict change control. Even with someone pressing to get the patches installed as soon as possible, as soon as possible could be a long time. And unfortunately, the first problem is often present in the second scenario. No one is aware and when they become aware it takes a long time to respond.

Finally, a large portion of the world doesn't have a DNS administrator or even know they are running a DNS server. Some consultant probably installed their product years ago, and because they haven't had a lot of problems, they and the consultant parted ways. And that box, hacked or not, hasn't been causing any operational problems so as far as they are concerned, life is good. And until they are hacked in such a way that it actually causes a big problem, they won't know any different.

Again, this latter scenario is not unusual or surprising. Talk with any Internet security expert and they'll tell you that the largest percentage of exploits on the Internet on any given day are vulnerabilities that were patched or resolved more than half a decade ago or longer. So, I will not be surprised to read weeks and months from now how some huge organization or some national critical site was left unpatched and is responding to a new hacking event.

It's been this way since the beginning of the Internet, and it will not change anytime soon. There are solutions that can prevent this type of thing, as I have written about several times before in my "Fix the Internet" series of articles and white paper, but any of the real solutions probably won't be deployed anytime soon.

Join the discussion
Be the first to comment on this article. Our Commenting Policies