EmailSafety.net - Permanent fix needed for DNS security issues, Kaminsky warns

Permanent fix needed for DNS security issues, Kaminsky warns

Anti-Spam Software

What is Spam?

Spam Laws

Spam Facts

User Tips

Common Email Scams

What Are Visuses?

Virus Prevention Tips

Anti-Virus Software

Basic Tips

Recent News

Seven months after the disclosure of a fundamental design flaw in the Domain Name System protocol that was discovered by security researcher Dan Kaminsky , industrywide efforts to address the DNS problem have made considerable headway, according to Kaminsky.

Even so, Kaminsky - who works at security services firm IOActive Inc. - said this week that the time may have come for IT vendors and users to consider broad adoption of the more permanent security protections offered by DNS Security Extensions , or DNSSEC, technology.

DNSSEC is designed to make the Internet safer by providing a better method of authenticating and protecting DNS data from cache poisoning attacks - such as the one Kaminsky found - and other security threats. The technology is being vigorously pushed by the federal government on its networks, but many companies have been hesitant about deploying DNSSEC because of its complexity - which includes requiring changes to the DNS protocol itself.

"DNSSEC as an implementation issue remains terrifying," Kaminsky said in an interview after speaking at the Black Hat DC 2009 conference here. "There are so many things administrators are supposed to do." As a result, many aren't even trying - leading to a very low adoption rate, he said.

Related Content

Nevertheless, Kaminsky contended that the inherent security weaknesses in DNS make a strong case for adopting DNSSEC. What the security industry needs to focus on now, he added, is making DNSSEC no harder to implement than deploying the so-called source port randomization fixes for the DNS cache-poisoning flaw was.

"I'm not saying source port randomization was easy," he noted. But once the fixes were implemented, systems administrators didn't have to do anything else to protect their DNS servers against the cache-poisoning flaw, according to Kaminsky. "Once you did it," he said, "you were done."

Kaminsky said the patching efforts launched after he discovered the DNS flaw have resulted in all of the Internet's top-level domains as well as large carrier networks and ISPs being protected against attacks. Given that security researchers originally estimated it would take up to a year for a majority of DNS servers to be patched, "we are more than satisfied" with the progress, he said.

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.

Recent News:

· Feds draw a bead on Russian behind Mega-D botnet
· Ransomware Attack Resurfaces to Hold Files Hostage
· Adobe Reader X Makes PDF Files Safer
· PayPal Users Beware of Holiday Phishing Scam
· McAfee Reports Malware at All-Time High

Site Map | Recent News | Related Sites