Forwarded from: Paul Hoffman <paul.hoffman (at) vpnc.org> At 12:14 AM -0600 12/17/07, InfoSec News wrote: > > Please read the comments on this article over at CircleID, where it > > is pointed out that the data does not support any difficulties with > > open recursive DNS servers, but rather with misconfigured DNS > > servers. Both David A. Ulevitch and Brett Watson make the points far > > better than I could. > > > > http://www.circleid.com/posts/malicious_open_recursive_dns_servers/ > > > > The authors of this report would have done themselves a favor, had > > they listened to their reviewers > > I agree that it would make sense to point out that while DNSSEC ( > http://www.dnssec.net ) will help, upgrading from Bind 4 might also > help out a bit.. DNSSEC will not help unless the users' systems are configured to reject unsigned responses and responses whose signature will not validate. It will take typical users about ten minutes to apply the "just click through the security warnings" lesson from SSL to these warnings, thereby making DNSSEC useless to everyone except the people who are already security conscious. No panacea here. > Still, it doesn't take many servers to create either DNS Poisoning or > massive DDoS's via DNS amplification attacks You have conflated two completely different DNS problems into one, thereby falling for Mice and Men's scare tactics. To fix DNS poisoning attacks, we need to get the resolvers running the broken code to update their code. *None* of the people running those resolvers want to be running bad code; it doesn't serve them at all. They can be identified and, with a bit of creativity, contacted by email and phone. A round of "shaming the lame" could probalby reduce the number of such servers by 90%. In order to reduce the possibility of DNS amplification attacks, you need to turn off nearly every open DNS resolver. This is essentially impossible because there are plenty of good reasons for DNS administrators to want their resolvers to be open. Closing open resolvers means that mobile users cannot use their home DNS servers and are at the whim of whatever local DNS server they are forced to attach to. This can and will change over time as PCs allow users to easily use passwords to get their DNS resolution services, but for now (and probably at least ten years), they're stuck. As the original message said, read the comments on the original article from people who have actually researched this topic. Knee-jerk reactions are common (as we have seen in the debate on this topic in the IETF for the past few months) but not helpful in actually getting the DNS to be secure in the long run. --Paul Hoffman, Director --VPN Consortium __________________________________________________________________ Visit InfoSec News http://www.infosecnews.org/
This archive was generated by hypermail 2.1.3 : Mon Dec 17 2007 - 22:09:45 PST