We've moved!

TechKnack.blogspot.com has officially moved to TechKnack.net. You should be redirected in 3-5 seconds. Thank you.

July 19, 2008

Is your DNS cache poisoned?

Add this post to Del.icio.us. Del.icio.us (0 saved)

Say what?

First, some background on DNS; feel free to skip this paragraph if you know what it is ;) . "Domain Name System" is a distributed system for translating web addresses (Google.com) to IP addresses ( You type "Google.com" into your browser, the browser (through the computer) sends that address to the DNS, the DNS looks up the address and retrieves the corresponding IP, the DNS sends that IP to your computer, and, finally, the browser can use that IP to contact the appropriate website's server to fetch the content. Each domain has at least one "authoritative" DNS server, which holds the master information for that domain. Other servers in the DNS system contact the authoritative server, and cache the IP address in their own tables. This way, if an authoritative server goes down, less-reliable-yet-still-useful results can be obtained from secondary servers. (This is the way I understand it, please correct me if I'm wrong). OK, moving on.

I was doing some domain name management on FreeDNS a few days ago, when, seemingly out of nowhere, I was getting "error loading page" for that site. I tried a few other sites to make sure my internet wasn't down; I could access Google, but not eBay, with the same situation for a number of other sites. Very strange. Having recently been educating myself about DNS (that happens when you start looking into the details of dynamic DNS ;) ), I immediately assumed that my ISP's (AT&T's) DNS servers were on the fritz. Which, to my knowledge, has never happened before.

So, naturally, I went straight to google with a query: "att dns servers broke". Not the best grammar in the world, but it worked :) . Nothing especially recent popped up under Web results, so I checked out the Blog results, and found this: Your DNS Server is Broken, and Can't Be Fixed. Naturally, that site was one of the sites that my working DNS server(s) couldn't find, so I had to call up a google cached version. 'Twas a scary article.

Basically, there is an inherent flaw in the very design of the DNS system. This flaw allows malicious entities with knowledge of this flaw to poison the DNS cache. This means that they can update the system's cache to point a domain name at their IP address, which, in theory, could be a perfect copy of the original website. This would allow them to redirect major bank websites, for example, to their perfect copies designed to steal your account information. And you, of course, would never know the difference, because the URL bar still says "mybank.com".

Fortunately, the discoverer of the flaw, Dan Kaminsky of Doxpara.com, was a security researcher. And, fortunately, he kept this monumental news quiet and got together with some other security guys and programmers, as well as some of the big names in technology, to work up a workaround. The flaw isn't fixable, but we can make it harder to exploit.

After reading this article, which didn't exactly answer my first question ("Are AT&T's DNS servers down, broken, or worse?"), I headed to the news search. The most recent article there was on Forbes.com: Hackable Broadband Left Unpatched. This article, besides describing the flaw, detailed some major ISPs who hadn't updated their servers as of the day the article was published. To my disdain, AT&T was among them. This may explain the DNS hiccups, though, if implementing this workaround to the main servers is at all a major undertaking.

While sooner is better, the major ISPs (or, really, anyone who runs a DNS server) have until August 6th to update their systems. That's when Kaminsky will be discussing all the gritty details of the exploit in his talk at the Black Hat Briefings. In other words? DNS D-Day for anyone who hasn't patched up yet.

No comments: