14 DAY TRIAL // Nominum Inc., one of the companies that provides network naming and addressing solutions, has released a security update for its Vantio DNS server platform that is supposed to offer unprecedented protection against DNS cache poisoning attacks. According to the company, the new revolutionary security features reduce the chances of a successful attack on servers running its software almost to zero.
This update, which involves major code changes, comes as a response to the Kaminsky DNS flaw discovered earlier this year and to the interim inefficient UDP Source Port Randomization (UDP SPR) patch that was implemented on most servers worldwide.
Nominum is no small player in the industry, the company benefiting from a solid market share and its server platform being used to provide DNS services to an estimated 120 million Internet users. In addition, since 2001, the company's Chairman and Chief Scientist is Paul Mockapetris, the inventor of the Domain Name System (DNS). The company participated in the industry's brainstorming effort to find a solution to the DNS cache poisoning vulnerability, an effort which resulted in the UDP SPR patch being developed and implemented.
The security update was built using a layered approach, Dr. Paul Mockapetris noting that this “multi-layered approach eliminates the risk of a successful attack.” The first, “deterrence layer,” consists of the actual UDP port randomization patch, and aims at slowing down an attack. The other 3 layers are what makes the real difference, according to the company. The second layer, called the “defense layer,” establishes a secure connection with a server upon a suspicious query originating from it. This results in blocking an attacker from spoofing the IP address of an authoritative server.
The “resistance layer” implements a smart system called Query Response Screening, which filters DNS answers to assure that legit queries do no receive malicious data within the DNS responses. This also means that it does not allow indirect query responses, which is a vital element in the Kaminsky proof-of-concept attack. Such a reply would imply the attacker inserting a fake close match in the response if a exact match cannot be found - “subdomain.domain.com can't be located, but www.domain.com is located at [FAKE IP]”
Finally, the last layer, called the “remediation layer,” has the purpose of notifying the network administrators of a possible attack attempt in real-time. The new feature logs such suspicious queries allowing for the attacker to be later identified, and for the proper actions to be taken.
Eventually, solutions like DNS SEC are expected to be adopted, with some governments having already started the process, but this is likely to take years for commercial Internet, so trying to constantly improve on what's available is the only option for now. According to Tom Tovar, CEO of Nominum, “layered security is the only way to defend against the emerging threats to the Internet."