DNS vulnerability: BIG DEAL
The weakness of DNS implementation has been known for years...
Then on 8th July Dan Kaminsky managed to orchestrate simultaneous patch for plenty of vendors...Hmm... a lot of security gurus rather skeptic that Dan found out something new...
Personally I found fascinating why the hell it seems almost ALL vendors whom have recursive DNS implementation are vulnerable?!?
I mean, the vulnerability is caused by several factors one of the it's vulnerable against guessing attack... If security was in mind when writing DNS implementation, they MUST implement randomness on... (btw, even if the DNS server is patched, FW in front of the DNS server will likely has non random source port generation... causing the DNS to become vulnerable again... :(
I was expecting most DNS implementation follows common sense to randomize source port, as DJBDNS... Are developers/software designers so lazy (copying code from BIND?) or dont care about security or they simply dont know?
???
What Dan Kaminsky knows that others dont?!?
Then today a security vendor (by mistake/accident/on purpose) let the cat out of the bag... and put it back in... basically publishing in their blog how this vulnerability works... (Serious security company should never make this kind of mistake...)
SHIT this is really BIG DEAL...
DNS vulnerability is already a big deal for obvious reason, but this one is really BIG DEAL... Internet wasn’t safe.. now it ever more dangerous place to be, the problem is there is not easy quick fix... I guess we just have to live in danger...
Anyway as the most dangerous thing in this world is dangerous things that we do not know they are dangerous... so at least know we know better that trusting DNS result are dangerous...
Then on 8th July Dan Kaminsky managed to orchestrate simultaneous patch for plenty of vendors...Hmm... a lot of security gurus rather skeptic that Dan found out something new...
Personally I found fascinating why the hell it seems almost ALL vendors whom have recursive DNS implementation are vulnerable?!?
I mean, the vulnerability is caused by several factors one of the it's vulnerable against guessing attack... If security was in mind when writing DNS implementation, they MUST implement randomness on... (btw, even if the DNS server is patched, FW in front of the DNS server will likely has non random source port generation... causing the DNS to become vulnerable again... :(
I was expecting most DNS implementation follows common sense to randomize source port, as DJBDNS... Are developers/software designers so lazy (copying code from BIND?) or dont care about security or they simply dont know?
???
What Dan Kaminsky knows that others dont?!?
Then today a security vendor (by mistake/accident/on purpose) let the cat out of the bag... and put it back in... basically publishing in their blog how this vulnerability works... (Serious security company should never make this kind of mistake...)
SHIT this is really BIG DEAL...
DNS vulnerability is already a big deal for obvious reason, but this one is really BIG DEAL... Internet wasn’t safe.. now it ever more dangerous place to be, the problem is there is not easy quick fix... I guess we just have to live in danger...
Anyway as the most dangerous thing in this world is dangerous things that we do not know they are dangerous... so at least know we know better that trusting DNS result are dangerous...
Labels: security
posted by omarg at
7:43 PM
1 Comments:
Well written article.
Post a Comment
<< Home