Last July I wrote about a serious security flaw in the domain name system (DNS). It was discovered by researcher Dan Kaminsky and got a lot of coverage: It’s Tuesday — Must be Time to Fix DNS
There was two parts to the DNS vulnerability that quickly became known as the Kaminsky flaw. One was related to poor port number randomization, making it easier for criminal elements to hijack DNS queries and redirect them to fraudulent sites. That problem could be addressed with a software patch, and most of the coverage last year focused on the concerted efforts made by companies like Microsoft, Sun, Cisco and many others to distribute the patches.
But there was another part to the flaw that could not be patched, since it was fundamental to the DNS protocol itself. Internet consumers are still at risk of being redirected through something called cache poisoning, which fools a DNS server into thinking a fraudulent site is authentic. Until recently there was little public acknowledgement of this happening, because most companies are loathe to discuss security breaches.
But in April there was a major breach of a Brazilian IPS Virtua and one of its big customers, the Brazilian back Bradesco. Here’s coverage of the incident from the The Register.
Last week my client NeuStar announced Cache Defender, a way for ISPs to protect their customers from this fundamental Internet vulnerability. ISPs can deploy this solution to create a secure DNS link between their customers and the domains NeuStar is authoritative for, including some of the largest Internet brands such as Amazon, Advertising.com, Oracle and Zappos. Cache Defender is designed to be an interim solution until DNSSEC, a more secure version of DNS can be implemented by the global Internet community.
Here’s some coverage of the announcement:
I’ve worked on DNS issues previously in my career, so this news was very exciting and fun to promote. If you’d like to know more, check out a discussion going on over at CircleID, a top online forum for Internet infrastructure discussions. Not surprisingly, some negative comments about Cache Defender are coming from NeuStar competitors. But the company already has one announced ISP deployment, with more in the works.
DNSSEC is no doubt the definitive answer, but probably won’t be widely deployed until 2011 for a number of technical and political reasons. Until then, Cache Defender is an excellent way for ISPs to show they are doing all they can to protect their customers.