- 12 myths about how the Internet works
- Smartphone smackdown: Storm vs. iPhone
- IETF: Should we ignore the Kaminsky bug?
- Top 10 wicked cool algorithms
- How to recession-proof yourself
One of the companies most at risk from the notorious DNS cache poisoning vulnerability has overhauled security in the latest release of its DNS server software in what looks like a major code rethink.
Nominum, which supplies a decent chunk of the global market for such servers, said it has just finished rolling out a major security upgrade to its server platform, Vantio caching DNS server, and introduced a range of new security "layers" beyond the basic Source Port Randomization (UDP SPR) fix suggested at the time the flaw was announced in early July by IOActive researcher, Dan Kaminsky.
The latest release of Vantio now features a swathe of security features that weren't there before, including the ability to block poisoning attacks against valuable domains, enhanced query response spoofing defenses which switches DNS resolution to a secure back-channel if attacked, and a new Query Response Screening system to weed out DNS poisoning attempts using fake requests.
The server also now logs where attacks originate - in contrast to the Internet generally, it is very hard to hide from DNS servers - and alerts an ISP or network if attacks have been detected.
Importantly, Nominum has also come up with a fix for the potentially major issue of using Network Address Translation (NAT) in front of an otherwise patched DNS server. Firewall and load balancing NAT assigns UDP ports sequentially, which would have rendered the port randomization defense useless.
Given that the official defense against the cache poisoning flaw has been UDP source port randomization, the Nominum overhaul comes in the nick of time. This was always seen as insufficient to keep out hackers indefinitely although it had been implemented as an interim step.
The pessimism over SPR turned out to be accurate, with Russian researcher Evgeniy Polyakov managing a proof-of-concept cache pollution hack in 10-hours using equipment that bombarded a full-patched BIND DNS server with fake DNS requests.
Just as the Kaminsky flaw has turned out to be no ordinary security scare, Nominum is no run-of-the-mill seller of Internet software. Chaired since 2001 by noted DNS luminary Paul Mockapetris, the company is responsible for resolving the domain requests of an estimated 120 million Internet subscribers to the real IP numbers that underlie them.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment