| A little time has passed since the major uproar over the critical DNS cache vulnerability that researcher Dan Kaminsky discovered. Since then a temporary “band-aid” fix has been applied. Randomized source ports are used to make it very difficult for an attacker to poison a DNS server’s cache. But it is not a fix that can stand the test of time to secure DNS. DNS is still broken and vulnerable and much more work and many more ideas are needed to secure it. | 10001 |
| There have been a lot of ideas to come out from researchers to find a way to secure DNS. Many of them are discussed on Dan Kaminsky’s blog and he discusses their benefits, downsides, and their possible implementation.
In an earlier article on his blog he discussed using TTL as a security feature. Someone came up with a method of using TTL to prevent someone from poisoning the cache on a server unless the TTL (time-to-live) on a record has expired. Kaminsky states several things wrong about this. One is that the TTL on servers vary and for those servers that have vary high TTL’s it can actual cause of a lot of problems and for those with very low TTL’s, you don’t gain much value from it. For more on Kaminsky’s take on TTL being used to try and fix DNS, you can read his statements on his blog. It will be interesting to see what people come up with to secure DNS. |
|
Sep
8
Leave a Comment