I am following closely this new DNS mess. In fact, there’s nothing really new in that. DNS has been attacked lots of times over the years – as a result of not being designed with security in mind from the ground up -, just this new one is a combination of known attacks against known security flaws. The “quick fix” is not a real fix, and just incorporate old ideas into the most used DNS software, strengthening it to face the attack. The details leaked, and there’s already at least one public exploit (and who knows how many in the wild).
The new buzzword is DNSSEC.
I don’t like DNSSEC. I never did. The first time I heard of it, around year 2001, it was a centralization of a decentralized database: A proposed company (called Network Solutions) would serve as a central authority, signing every root DNS entry. It was a joke! Come on! DNS is suppose to be decentralized! Having a central company anywhere is just a huge step back in decentralization (not to mention a huge step back in security).
Time passed, and the DNSSEC specs evolved to a more decentralized way of thinking. The state it is now, and the implementations we saw so far are not good. No! I am not talking about security… I am talking about the KISS principle: DNSSEC turns something really simple to deploy into a full-time job, with frequent key roll-overs and re-signing everytime you change the zone – a huge mess! Yes, there are automated tools, but, come on! you still have to wait for TTL to expire before publishing this part or that part of the cryptographic machinery… And, if we are talking about real security, are we going to build some automated tool “fire-and-forget”-style and not follow it? If we are not looking at it as it goes, and it fails, we could end up with a completely wrong set-up or (even worse) a non-validating zone.
And I haven’t yet mentioned the increase in payload… I am not completely convinced that this alone would not lead to DoS attacks just by compromising the responsiveness of the servers (and DoS attacks are already available for quite some time – maybe the DNSSEC-medicine is worse than the disease…). The root (”.”) servers are not even DNSSEC-aware, and there’s a whole class of other stuff to work-around the fact that they may not be DNSSEC-aware for quite some time yet.
There has to be a simpler way!
I can imagine at least three ways to fix the problem until we can fix DNS in a KISS way… And they’re all KISS also:
- Change Transaction ID field. This is the first Achiles heel of this crisis. Let’s increase the length of this field to 2048 bits, or even larger. Better yet, let’s make it variable, so every system administrator can set his servers’ own size. Yes, I know this leads to replacing ALL the DNS infrastructure, but isn’t that what we are doing right now, anyway?
- Deactivate in-bailiwick injection. Over the years, DNS have been expanded to allow a lot of things other than translation of names into numbers (or to ease this translation). The second Achiles heel is the ability to inject the IP address for WWW.VICTIM.COM while consulting for 10294DKGJSDL.VICTIM.COM since both name-addresses are in the same bailiwick (in-bailiwick). Let’s take a step back, and deactivate all this… Before 1995, the same thing could happen with any addresses, including those “out of bailiwick”, and it was fixed to only allow those in-bailiwick… Let’s fix it again to not allow it at all!
- Good, and old iptables. Couldn’t we just use iptables’ LIMITS to stop this attack and blacklist the attacker? We’ve been doing this for a lot of other things (SYN-floods, ICMP attacks, etc). Can’t we just do the same. Again: this is not a new thing… it relies on multiple attacks in a short period of time, just like other attacks we’ve seen and successfully blocked with these techniques…
Maybe some of those three solutions are flawed… Maybe none are flawed and can be deployed together… Maybe I am wrong and DNSSEC is the only way to go… But let’s not panic, let’s cool our minds and begin thinking it through. I still don’t think DNSSEC is the holy grail…
Now… I already spent more time than intended on this… let me go back signing some zones ;-)
