Securing the internet with DNSSEC, one DNS query at a time

Dan Kaminski found one design flaw with the majority of DNS servers as well as exactly how to exploit it in a repeatable fashion. There are many other problems with DNS attacks that would be solved with DNSSEC.

Just what is DNS? DNS is how your computer learns the numeric IP address to connect to from a name, such as roysdon.net resolving as 208.202.125.53. DNSSEC is a Security feature adding on to DNS. DNSSEC allows servers to make cryptographic signatures on data they send, preventing forging or editing of information in the reply as a DNS query makes its way to the half dozen DNS servers it must go to.

Why is this a big deal? Say you work at acme.com, so you've told Internet Explorer to trust any acme.com domains. What if I send you an email or have a well-crafted webpage I get you to which has some bad mojo code (say some active-x installer or whatever) and I've poised your dns servers into thinking badserver.acme.com is pointed at the server hosting this code. Since you've already trusted acme.com, you'll not be warned and things will just install, etc. This is an over-simplification, but you get the point, and it is a real life problem.

The solution is to have DNSSEC signatures passed from servers and verifiable by your closest DNS server at your ISP or office.

More technical details in a future post.