Dissecting DNS Attack Scenarios

This is the most rational, well thought out and emotionless analysis of the DNS vulnerability I have read (here) – kudos to Peter Tippet and Russ Cooper from Verizon for using the Art of Security (here) and drop kicking the FUD back to where it belongs, a 1950’s Roger Corman B-Movie.

Summary:

At the end of the day, there are new attack scenarios that may be attractive for whatever reason, but they are a far cry from the earth-shattering tales being suggested by many in the press today.

None of this discussion is to suggest that a new and simple DNS-related attack should be ignored. Indeed, we recommend that every administrator of DNS systems both in companies and at hosting providers and other service providers should: 1) have ready standby systems both for testing and for at least cold-swappable implementation, 2) that appropriate software upgrades be applied after testing and 4) that other countermeasures both at the DNS level and at other levels suggested by this discussion be deployed. Although patching is important, administrators should certainly use many of the numerous other configurations, authentication, cache sizing, and other countermeasures available both within their DNS systems and elsewhere.

Of course, we have considered a number of other scenarios which we have not published here. None represent dire consequences for the Internet. All have some or many of the same limitations described above. Some are more and some are less onerous, but by and large, do not get much more effective when cache poisoning is involved.