MARINA DEL REY, CA — A fatal flaw in the internet’s addressing system was patched in early July, but the International Corporation for Domain Names and Numbers remains sufficiently concerned about the potential for hackers and phishers to launch attacks through un-patched portals that it has released a tool to help domain administrators protect themselves and their users.The so-called “DNS cache poisoning” vulnerability could have allowed hackers to take control of all traffic on the Web, rerouting surfers to any designation the hackers chose regardless what address was typed into a browser. Although many admins responded to a mass call to update their server software in early July, ICANN officials said Wednesday they believe hundreds of thousands of machines worldwide may remain un-patched, creating a monumental opportunity for phishers and distributors of malware.
“Due to the distributed nature of the [domain name system], no one organization can implement a fix for this vulnerability,” ICANN warned Wednesday. “It requires the cooperation of all name server operators and DNS software vendors.”
Consequently, ICANN has released a FAQ about the issue and a tool that allows domain operators to test their domains for susceptibility to the flaw. The FAQ is located at the Internet Assigned Numbers Authority’s website, IANA.org/reports/2008/cross-pollination-faq.html. The tool is available free at Recursive.IANA.org.
Security researcher Dan Kaminsky discovered the design flaw in the internet’s addressing system about seven months ago. While it is not possible to fully fix the cache-poisoning flaw, there are ways to improve resistance to it. The vulnerability affects what are called “recursive” name servers, typically installed at ISPs and corporate network gateways to assist DNS lookups and cache results for faster lookups. The other major type of name servers, called “authoritative” servers — typically employed by domain registries to serve as the final authority about address resolutions — are not susceptible to the flaw.
However, name servers can be configured to perform both recursive and authoritative functions, and in those cases the authoritative functions are compromised by the recursive functions. The IANA tool scans domains and reports whether the subject domain’s name server includes a recursive function.
“Domain operators should look to ensuring that all of the authoritative name servers for their domain are separated from any recursive name servers to avoid being impacted by cache-poisoning attacks,” the ICANN alert issued Wednesday warned.
Surfers, too, can be affected by the vulnerability. ICANN warned surfers to ensure the DNS servers their ISPs use to look up domains have been patched to enable “source port randomization.” The DNS Operations, Analysis and Research Center has posted an online tool making it easy for surfers to evaluate their systems at its website, DNS-OARC.net/oarc/services/dnsentropy. If the test returns “great,” surfers can rest assured they are protected. If any other result is returned, surfers are advised to contact their network administrator and ask that the organization’s recursive name servers be updated.
Kaminsky also has posted to his site, Doxpara.com, a tool that will help surfers determine whether their systems are vulnerable to the flaw.
