ICANN on DNS Flaws

The Internet Corporation for Assigned Names and Numbers (ICANN) announced in a press release today that it is raising awareness of a recently discovered vulnerability in the domain name system (DNS).

ICANN also released an FAQ and an online tool for domain operators to test their domains.

According to ICANN no one organization can implement a fix for this vulnerability. It requires the cooperation of all name server operators and DNS software vendors.

However, ICANN sees an important goal in spreading awareness of the need to update Internet infrastructure to cope with the threat.

Security researcher Dan Kaminsky recently discovered a design flaw in the fundamental DNS protocol. While it is not possible to fully fix this flaw, there are ways to improve resistance to it. This involves system administrators patching or reconfiguring their DNS servers.

The vulnerability affects what are called “recursive” name servers, typically installed at ISPs and corporate network gateways to assist DNS lookups and cache results for faster lookups, rather than the type of name servers used by domain registries which are “authoritative” name servers.

However, name servers can be configured to perform both “recursive” and “authoritative” functions from the same machine, and by doing so the susceptible recursive function can cause security risks for the authoritative function.

For operators of domain names, this vulnerability can be used to affect the contents of their zone if their authorities also provide recursive name service.

To detect whether a particular zone is vulnerable, ICANN has produced a tool that can check a particular domain: http://recursive.iana.org/

Domain operators should look to ensuring that all of the authoritative name servers for their domain are separated from any recursive name servers to avoid being impacted by cache poisoning attacks.