Robert Hensing's Blog

Software Security . . . and stuff.

Dan's DNS checker - We need a new ship!

Dan's DNS checker - We need a new ship!

  • Comments 1
  • Likes

Heres' an interesting, somewhat reflective blog from Kaminsky on security researcher drama, and how in an ideal world lots of trusted peers would get to review your vulns and fix plans before the patches ship: http://www.doxpara.com/?p=1164  Sadly - in the real world it doesn't always get to work that way for a lot of interesting reasons but I'm glad everyone worked it out and is happy again.

I also love the DNS checker on the right side of his blog.  Dan allowed me to discover that Bellsouth apparently doesn't patch in a timely fashion (and I suspect - AT ALL) . . . not that it matters to me - it's not like DNS is a secure sort of protocol anyways or was ever intended to be one (I mean - just grep through a DNS RFC like this one: http://www.faqs.org/rfcs/rfc1035.html looking for the word 'secure' or 'security') . . . so I don't really trust that even with all of the latest DNS security update creamy goodness applied that there would be no ways for nefarious types to have fun with DNS at my expense . . . so thus while I find Dan's vuln to be pretty cool in a scientific sort of way, at a macroscopic / real world level, with respect to how data travels through the series of interconnecting tubes, it sort of seems to me a bit like the crew of a strafed, torpedoed and badly listing ship which is heading towards an underwater minefield responding to and patching the bullet holes in the hull . . . it may give them something to do and make them feel better temporarily, but at the end of the day it just doesn't matter - that ship is still going down.  You needn't worry about plugging those holes as the battle to save the ship has already been lost - clearly what is needed at that point - is a new, more secure ship.

So with that said - I always find it sort of amusing (and sad) at how fundamentally insecure communications on the Internets are to this day (with respect to spoofing, tampering and other S.T.R.I.D.E. type threats) and most of my ire is focused on DNS and lower level protocols which I still can't believe are in use to this day in the year 2008 . . . but DNS is really just one insecure protocol riding on and trusting other insecure protocols so at the end of the day when I wax all philosophical I have to wonder - "does yet another DNS update really matter, when there are so many other problems with the way we convey packets on the Internet today?".

Well of course it matters but I mean think about it . . . let's start at the bottom with the lowest level protocol that I have a beef with:  ARP.  We still to this day rely on it, errantly and against our better judgement, to begin the process of conveying information from one machine to another, and so to this day it's being exploited for nefariousness: http://blogs.zdnet.com/security/?p=1242.  Again - this is happening in the year 2008!

Work your way up the stack - there are many other by design vulnerabilities at each layer that require new more secure versions of the protocols (that likely already exist or have been proposed) to resolve . . . but yet they aren't widely deployed or used on the Internets - so I guess that's why I find it sort of silly to get all worked up about DNS.  Yeah it's important - but so are other lots of other minor things like ARP or IP which also seem pretty bad (to me).

Um, captain?  Can we like . . . get a new ship pleaze?  OKTHXBAI!

(p.s. - Forgive the bad warship analogies - I'm finally getting around to reading Cryptonomicon which is largely centered around fictitious events of WWII so submarines, warships, bullet holes etc. are very much on my mind. . . )

Comments
  • You could use the IPv6 analogy of having a parachute and bomb strapped to you. You definitely open the parachute before trying to defuse the bomb, because if you do things the other way around, you hit the ground long before you stop fiddling with the bomb.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment