The end of DNS attacks?
This month's First Look is one of those products that really holds a unique and important place in the pantheon of information assurance tools. But, before we get into the product, we need to have a bit of a mini-tutorial on the problem it addresses.
The core of the internet is the domain name system or DNS. Attacking the DNS puts the entire internet at risk.About a year ago, Dan Kaminsky, director of penetration testing at IOActive, demonstrated a flaw in the DNS system that could have catastrophic consequences, or so it was claimed. The key to this flaw is access. It manifests in such attacks as cache poisoning, but the bottom line is that an attacker exploiting the flaw could access the DNS server and reconfigure it to redirect DNS queries to legitimate sites away to hostile sites.
That brings visions of buyers on the internet thinking that they were exchanging credit card information with eBay, but really are communicating with steal_my_credit.com. Actually, it could be much worse if we think of the attack scenario on the scale of root servers on international backbones or core DNS servers on major ISPs. This is, potentially, a pretty nasty prospect.
Enter our First Look.Since about 2004, Secure64 has been working on a way to prevent any type of direct attack against a DNS server. Their solution was to manage access to the server itself. After several years of research, the true depth of the problem converged with the solution and we have Secure64 DNS Signer. There is an intermediate step here, though.
In 2005, several requests for comments (RFC) describing the Domain Name System Security Extensions (DNSSEC) began to appear. In 2008, a new RFC that refined the DNSSEC protocol came out. The core of these RFCs is the addition of some new record types and some header flags. It is here that Secure64's product enters the picture.
Some of the things we get with the new DNSSEC protocol are digital signatures, key management and resistance to replay attacks. That's the good news. We can hack up a script to add some key management and authentication, and that might work OK if you are dealing with a fairly small system. But what do you do with a system that has hundreds or even millions of zones to protect? Now we have a daunting problem.
Secure64 DNS Signer completely manages the DNSSEC key signing and management process no matter how big the target system. That means that with a couple of changes to a command line interface everything that needs changing gets changed automatically. On a complete domain, for example, this process would be nearly impossible without some sort of reliable, easy-to-manage tool. DNS Signer is just such a tool.
There are several pieces of the process that DNS Signer needs to address. First, keys need to be generated. This is a public key system, so the next critical issue is protecting the private keys. Access to the private keys means that account-spoofing is probably the most practical way of compromising a public key system. DNS Signer maintains a secure repository for the safekeeping of private keys, even from the system administrator.
The product is built on top of an operating system that is purpose-built from the custom kernel all the way to the command line interface that, depending on where you are in the interface, looks like a familiar Linux, Unix or Cisco user interface. The product is going through FIPS Level 3 testing and the results look promising.
Man-in-the-middle attacks are prevented by a unique parent-to-child chain of trust. Unless the chain of trust is intact, nothing works. Also, if you attempt to use the protected DNS server with a typical unprotected DNS server, there is no problem exchanging information, but if you try to attack the protected server, spoof requests or attempt attacks such as cache poisoning, you'll hit a brick wall.
This is a next-generation tool for a next-generation problem, but as far as I can see these folks have the market cornered. The problem is real and getting more critical, and there are not a lot of solutions to the problem out there from which to chose. This, in my view, is the tool leading the charge, and is certainly one to watch.