A widely respected reverse software engineer says the alarm over the flaws in Domain Name System (DNS) servers is overblown.
Researcher Halvar Flake said that anyone who uses the internet should assume that the DNS gateway is already a haven for attackers.
“That is why we have SSL, that is why we have certificates, that is why SSH tells you when the host key changes,” Flake said in a post on his blog. “DNS can never be trusted - you always have to assume that your ISP’s admin runs a broken file sharing server on the same box with BIND.”
Flake is the creator of BinDiff, a command-line tool that helps researchers conduct binary differential analysis to detail the differences between two binaries. He called security researcher Dan Kaminsky’s discovery of a serious flaw in the implementation of the DNS protocol, good work, but added that there have been much worse problems in recent memory.
In an announcement last week, Kaminsky called the DNS flaw a threat to every system that connects to the Internet. The flaw opens DNS servers to cache poisoning, which would allow an attacker to redirect Internet traffic and potentially steal sensitive data, such as credit card numbers and personally identifiable information.
The flaw was a design issue that couldn’t be addressed by a single vendor. As a result, a number of DNS vendors issued a coordinated release of updates to address the issue.
Kaminsky addressed the skepticism of some researchers in his doxpara blog. Kaminsky provided details of the flaw to security researchers Thomas Ptacek and Dino Dai Zovi. Both researchers called the DNS issue way more serious than they imagined.
“Nobody reading this can know if I was right or not, because (almost) nobody knows the bug,” Kaminsky said.
Kaminsky said he will release details of the flaw at the Black Hat 2008 conference, on August 7 and 8, in Las Vegas.
