Ads by TechWords

See your link here
Receive the latest technology news and information.
IT Management
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
Cloud Computing
View all newsletters




Privacy Policy
 

Opinion: Fix your flawed DNS ... NOW!

July 14, 2008 12:00 PM ET

Computerworld - This installment of "Frankly Speaking" originally appeared in Computerworld's print edition.

If you're a hard-core IT security wonk, you already know about this. If not, go to Doxpara.com right now and click on the button that says "Check my DNS." That will run a simple test to tell you whether your name server appears to be vulnerable to DNS cache poisoning.

No, really -- right away. Doxpara.com. Go. Now. We'll wait.

Did the test say that you're vulnerable? Then you've got work to do.

Did it say that you're not? You've still got work to do.

Here's why: Early this year, security researcher Dan Kaminsky discovered a design flaw in the Internet's Domain Name System, which translates names like Computerworld.com into IP addresses such as 65.221.110.98.

Kaminsky didn't find a bug in one DNS implementation. He found a vulnerability that's designed into every DNS server. That's right -- they're all broken. Microsoft's version. And Cisco's. And BIND, which is widely used on Unix and Linux servers.

The design flaw allows an attacker to hijack domain names. Put simply, a victim would never know where the Internet was taking him. E-mail could be redirected. Web sites could be spoofed. Everything on the Internet is at risk if an attacker takes over the DNS.

How do you fix a fundamental design flaw that affects the entire Internet? Answer: You can't. So you don't. Instead, you find a way to make the design flaw much, much harder to exploit.

Kaminsky contacted Paul Vixie, who has been responsible for the BIND DNS server since 1988. Vixie called together the top DNS experts. In March, they secretly started work on the job of patching every major DNS implementation. Not with a fix -- that would be impossible -- but with a work-around.

On July 8, they all rolled out their patches at the same time. Microsoft. Cisco. AT&T. Sun. Red Hat. The BIND guys. Everybody.

This is not "a patch" to fix "a bug." This is a wake-up call for virtually the whole IT industry. The entire Internet needs fixing. Yes, right now. And that includes every corporate network and every ISP.

Here's the good news: Because the flaw Kaminsky discovered is so baked into DNS, because it literally can't be fixed, the only good way to block it is to make it really hard for attackers to do anything bad to a DNS server. That's what last week's patches do.

As a result, those patches protect you not only from the design flaw Kaminsky discovered, but also from lots of other bugs that have been found over the years -- and from bugs that haven't yet been discovered. It's the biggest and most effective Internet security fix ever.



Jump to comments

frank hayes

Additional Resources

WHITE PAPER
Approximately 60 percent of data migration projects overrun time or budget, while some fail completely. Download this white paper, "Enhancing Your Chance for Successful Data Migration," to learn the critical steps you need to take to execute a data migration project with minimum cost and risk to your business.
WHITE PAPER
Read the Gartner research note to learn why the TCO of a server-based computing deployment used to deliver all applications to users is around 50% lower than that of an unmanaged desktop deployment.
WHITE PAPER
Economic downturns have a tendency to accelerate emerging technologies, boost the adoption of effective solutions, and punish solutions that are not cost competitive or that are out of synch with industry trends. This IDC White Paper presents the results of an IDC survey of 330 companies in Western Europe, Asia/Pacific and the Americas that measures the receptiveness to Linux and takes into consideration changing views driven by the disruptive economic environment that businesses face today.

What People Are Saying