CircleID

Let me see if I have this straight. The BIND4 or BIND8 instance that's acting as a forwarder cleans the received response for the purposes of populating its local cache, but passes the unscrubbed response back to the original requesting party? I'll bet someone slapped their forehead over that one.

On a slightly tangential note, given that most such vulnerabilities come from weak implementations, rather than weakness in the protocol itself, are we likely to create more problems than we solve by increasing the complexity of the process in the name of security? I refer here to DNSSec, of course, and I'm not saying that it's a bad idea, but it does give me pause to question how much real improvement it can offer, given inevitably weak implementations.

Looking at the DNS software a few ISP servers claim to be running didn't give me a warm fuzzy feeling.
Is it appropriate to probe and publicize a wall of shame/list of vulnerable servers?  I think so.  The bad guys already know.
I see some large services with nameservers running 8.x.

matthew, that would be a good question for dan kaminsky.  he's running a project (linked to from the article) to 'map' the interrelationships of servers running bind8 with forwarders pointing at them.  the news.com article mentions what is probably the tip of the iceburg.  dan is working on a much larger scale analysis.

i think before a 'wall of shame' goes up, efforts should probably be made to contact providers and educate/encourage them to *upgrade* and properly configure systems.  that was part of the purpose in writing this article.

Matthew, when I did get involved in monitoring and sorting DNS issues, I found you can't rely on the returned version number to reveal specific weaknesses with the implementation.

Some of the big Unix vendors, commercial DNS implementations based on BIND, and others, will backport fixes from more recent versions of BIND, in an attempt to minimize the disruption to their customer base. Although I'm not sure how wise this is as a long term strategy, and you would hope they would all be based on BIND9 by now.

Whilst the recent poisonings are worrying, other basic weaknesses in deployed DNS configurations remain, not least one well known organisation, that should know better, appeared to have both (only 2?) DNS servers deployed in the New Orleans metropolitan area before the hurricane struck, fortunately it looks like they managed to move the service away "just about in time".

However I notice my earlier criticisms of the poor state of many European TLD have been at least partially addressed. Human nature, whilst things mostly work, is not to address them till they are clearly broken, and for all it's flaws the DNS "mostly works", where as some of us know that it is "broken enough" to need fixing.

The good news is that the poisoning problem is something you can fix for yourself, and you can do it all with Free Software", so no need to get budgetary approval.

I'm voting "lack of expertise" being the biggest cause.