Companies are still failing to secure DNS networks despite the threat posed by last year's security flaw. That's according to the flaw's discoverer, Dan Kaminsky, who has become a dedicated evangelist for DNS Security Extensions. He pointed out that even the US federal government had missed its own deadline for rolling out DNSSEC.
Speaking at the Black Hat DC 2009 conference, Kaminsky told the audience that the lack of DNS security not only makes the Internet vulnerable, but is also crippling the scalability of important security technologies.
"DNS is pretty much our only way to scale systems across organisational boundaries, and because it is insecure it's infecting everything else that uses" DNS, the fundamental Internet protocol that provides an IP address for a given domain name, said Kaminsky, director of penetration testing at IOActive. "The only group that has actually avoided DNS because it's insecure are security technologies, and therefore those technologies aren't scaling." Kaminsky began promoting DNSSEC last summer, following his discovery of a significant DNS flaw - known as the Kaminsky Bug - where cache poisoning attacks allow a hacker to redirect traffic from a legitimate website to a fake one without users realising it. DNSSEC attempts to prevents spoofing attacks by allowing websites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.
Despite the fact that key operating system vendors - including Sun, Cisco and Microsoft - released patches to temporarily fix the flaw, Kaminsky said DNS security has not been widely adopted.
The US government, for example, missed its January deadline for rolling out DNSSEC on the .gov top-level domain, and is aiming to complete the task by the end of February and to patch all subdomains by December.
One roadblock to DNSSEC adoption is that it isn't easy to implement, Kaminsky admits, and calls for coordination by many parties. DNSSEC requires domain name registrars, domain name registries, ISPs and users to upgrade their software.
Still, Kaminsky said DNSSEC offered the most feasible solution to a serious threat.
"We need to put out the immediate fire," he said. "We should stop arguing whether DNS should be used for security and [just] use it for security because it scales."
At the conference, Kaminsky stressed the importance of securing not only DNS servers on the Internet, but those behind firewalls as well. This is because web applications such as e-mail and browsers can be manipulated to perform DNS lookups, and therefore are vulnerable to penetration.
"There should be no important servers that are vulnerable," he said.