Tuesday, July 29, 2008

DNS vulnerability

There's a few things that need to be done to completely fix the DNS cache-poisoning vulnerability Dan Kaminsky discovered.

First, filter additional response data (glue records) aggressively. In delegation responses, the only acceptable glue should be A records for the names given in the responsive NS records. In non-delegation responses only additional records for the exact name being queried should be accepted, records for other names should be discarded. If you're going to cache additional records, only records passing this filter should be cached. Ideally no additional records should be cached.

Second, implement DNSSEC across the board. It shouldn't be that hard, it just requires people to do the work. Signed data makes it impossible for an attacker to successfully get forged responses accepted (barring someone breaking the major public-key encryption algorithms).

Third, network operators near the edge of the network should implement ingress/egress filtering and require it of networks connecting to them. Towards the backbone there's too many netblocks on each interface to filter, but at the edges it's feasible to identify all the netblocks that should be sending packets across a given link. No network should ever permit a packet to go upstream unless it's source address is in a netblock belonging to that network or to a downstream network. No network should accept a packet from a downstream network unless it's sourced from a netblock attached downstream of that interface. That makes forging the source address (needed for the DNS cache-poisoning attack) nearly impossible.

No comments: