A fundamental flaw in the Domain Name System protocol that would allow an attacker to massively disrupt the Internet has been discovered by a researcher, prompting CERT to issue an alert and major DNS software vendors to issue patches today.

DNS servers across the 'Net and in corporate networks translate host names to IP addresses, and vice versa, allowing for normal Internet use. But a flaw in the underlying protocol leaves them open to being hijacked. And according to the researcher who made the discovery of the critical DNS flaw, Dan Kaminsky, director of penetration testing at IOActive, it's now up to ISPs and corporate network managers to apply the DNS patch software patches released today.

Hear Dan Kaminsky's explanation of the flaw, in our Newsmaker of the Week podcast. 

"We worked with vendors on a coordinated patch," said Kaminsky, noting this is the first time such a coordinated multi-vendor synchronized patch release has ever been carried out. Microsoft, Sun, ISC's DNS Bind, and Cisco have readied DNS patches, said Kamisnky. "The patch was selected to be as non-disruptive as possible."

Lack of an applied patch in the ISP infrastructure would mean "they could go after your ISP or Google and re-direct them pretty much wherever they wanted."

Both current and older versions of DNS may be vulnerable, Kaminsky says, and patches may not be available for older DNS software. He says Yahoo was vulnerable because it uses an older version of BIND but had committed to upgrading to BIND 9.0.

Kaminsky says there's a way to check for vulnerability to the DNS flaw by visiting here.

Kaminsky hinted the problem centers around lack of sufficient port randomization related to the transaction ID of a query but added he would feel more at liberty to discuss the problem publicly in about a month, after the bulk of DNS patching has presumably been done.

Kaminsky says he stumbled on the problem by accident about six months ago, kept quiet about it publicly. He also organized an industry-wide response that culminated in 16 researchers converging on the Microsoft campus in late March to address the problem.

"Several ISPs have been informed," said Art Manion, vulnerability assessment team lead at the CERT Coordination Center, who joined Kaminsky on a conference call today to discuss the DNS flaw and its implications for ISPs and corporate networks. He added that several government agencies worked closely with CERT to address the DNS flaw issue.

Whitepapers

• Advancing the Economics of Networking
• Enterprise Data Center Network Reference Architecture
• Implementing HA at the Enterprise Data Center Edge to Connect to a Large Number of Branch Offices
• File Integrity Monitoring: Secure Your Virtual and Physical IT Environments
• Boost Productivity While Cutting Costs with Next-generation Collaboration
• Deploying Virtualized NetWare on Linux Whitepaper

View more SECURITY whitepapers

Webcasts

• PoE Plus: Impact on the PoE Market
• Creating a high performance workplace with wireless networking
• Harnessing the power of communications to increase workplace performance
• Making data centers the IT strategic focus
• Protecting assets and employees with IP Video Surveillance
• Stay out of the headlines: Detecting and preventing network intrusions

View more SECURITY webcasts

Special Reports

• The Evolution of Network Security
• IP address management in 2008 - six things to know
• The self-managed network

View more SECURITY special reports