DNS flaw : corrected on the first day

Sam — Sun, 27 Jul 2008 01:12:00 +0200

On July 8, 2008, the US-CERT (United States Computer Emergency Readiness Team) announced that they had discovered a new way to quickly take advantage of weaknesses in the DNS protocol. This method targets non updated 'recursive' servers, allowing the 'attacker' to fake an answer as coming from an 'authoritative' server.

Gandi, as a registrar, only owns 'authoritative' servers and was not affected by this flaw.
However, we are also a webhost now, and our customers go through 'recursive' servers. These servers were updated by our technical team, just a few hours after the announcement.

All right, but what are recursive and authoritative names servers?

There are two types of name servers:

1. The recursive servers, when questioned, get the information from other servers.

2. The authoritative servers have the information requested by (among others) recursive servers.

Recursive servers are those usually provided by ISPs or webhosts for their customers.
To simplify : when someone enters the URL of a domain name in his web browser, if the domain is entirely managed by Gandi, a DNS request goes from his computer to his ISP's recursive server, which in turn, requests the information from Gandi's authoritative server, and get the address of this domain name.

Gandi's authoritative server answers politely to the recursive server, which temporarily stores the answer in a cache, and finally, the answer is transmitted to the browser. The temporary cache is used to speed up the answers to a ''recursive' server, and thus avoid too much repetition of the same question. This way, there are less exchanges between ''recursive" and authoritative servers, and the Internet's general behavior is improved.

And so?

This new method allows a bad person to trap a vulnerable recursive server into believing that an answer comes from an authoritative server. The recursive server, sure that the answer is correct, stores it in its cache. Does this sound abstract?
Just imagine that you have the ability to pretend to an ISP's customers that you are gandi.net, gmail.com or even amazon.com, and do this for serveral hours at a time... You get the picture.

What you should bear in mind (for our more technical readers)

First of all, the flaw of the DNS protocol is not new. It was identified quite a while ago and is inherent in its design. The technique allowing someone to use this flaw was first published on July 21st and showed how to simply bypass the existing barriers.
Once again a new barrier that has been put in place to prevent this. This new procedure has been recommended for several years and works by using a random source port in the request.
It is important to remember that this measure does not fix the flaw but means that any attack would take longer to succeed.

The DNS protocol does not guarantee the identity of individual machines, which makes preventing such attacks more difficult. The DNSSec protocol that might replace it, is designed to correct this flaw (among other things). However, and for several reasons, it has not yet been put into place.
In any case, the solution is to use secure connections, such as SSL (certificates, signatures and encryption...) when you wish to be sure of the identity of a site.
But even with all these tools and technologies, it is still important to pay attention to your web browsers SSL warning messages

Update of the Gandi Groups platform

Ryan — Fri, 18 Jan 2008 10:45:00 +0100

In order to migrate Gandi Groups to version 2.0, we will need to temporarily suspend new posts. It will therefore not be possible to post any messages on the forums between Monday, January 21st and the following Tuesday morning.

Thank you for your understanding.

Gandi IWI Blog - Gandi IWI

DNS flaw : corrected on the first day

Update of the Gandi Groups platform