The Domain Name System (DNS) associates various information with domain names; most importantly, it serves as the "phone book" for the Internet by translating human-readable computer hostnames, e.g. www.example.com, into IP addresses, e.g. 208.77.188.166, which networking equipment needs to deliver information. It also stores other information such as the list of mail servers that accept email for a given domain. In providing a worldwide keyword-based redirection service, the Domain Name System is an essential component of contemporary Internet use. Read the full background at DNS Wikipedia
The U.S. National Telecommunications and Information Administration (NTIA) is soliciting comments on signing the DNSSEC root. Ignore the caption on the page: this is not about DNSSEC deployment, which is already happening just fine. It's about who gets to sign the root zone. more»
At ICANN's meeting in Egypt last week, I had the opportunity to try and explain to various non-technical audiences why the Domain Name System (DNS) is vulnerable to attack, and why that is important, without needing a computer science degree to understand it. Here is the summary. more»
A message on Dave Farber's Interesting People list complained that Comcast was blocking mail forwarded by DynDNS, a popular provider of DNS and related services for small-scale users... Actually, they're blocking it because a lot of it is spam. This is a problem that every mail forwarder and every mail system encounters; the only unusual thing here is that DynDNS is whining about it. It's yet another way that spammers have broken the mail for the rest of us. more»
Gartner, the well known IT consulting company, has published a report on the new top level domains that will appear some time next year. The report totally misses the mark. In a pure US centric vision, it focuses on ".com" as the must-have TLD, totally overlooking the fact that a ".com" is mostly worthless e.g. in Germany, where ".de" is the TLD one must have to succeed locally... more»
Thinking about the www.kerryedwards.com auction reminds one of the uneasy relationship between personal names, politics and cybersquatting. When reporters learned that the domain name was taken by Kerry Edwards, the Indiana bail bondsman, at least some headlines were quick to brand Mr. Edwards' conduct as cybersquatting. The Chicago Sun-Times, for example, ran the headline "Kerry Edwards is the Name, Cybersquatting is the Game." Mr. Edwards, of course, had registered his own name as a domain name long before Kerry picked Edwards as a running mate. more»
In a highly anticipated presentation, Internet security researcher Dan Kaminsky today gave details of the much talked about Domain Name System (DNS) vulnerability issue which has been intensely covered since it was publicly announced a month ago on Jul 8th. Although original plans entailed keeping the bug details undisclosed for 30 days in order to allow for necessary security patches to be implemented around the world, details of the bug were eventually leaked-and-confirmed 13 days after its public announcement. Even so, just hours ago in jam-packed ballroom during the Black Hat conference, Kaminsky delivered his 100-plus-slide presentation detailing the DNS flaw that, if exploited, could potentially "destroy the Web". more»
Apple which has been under criticism by security experts for being slow in patching a major DNS flaw, has at last issued a patch in a security update for its OS X operating system and other software late Thursday. Apple is among a handful of companies that security experts have said moved far too slow in reacting to the DNS bug. Other vendors, including Cisco and Microsoft, had patches ready when the existence of the flaw was disclosed on July 8, 2008. But some network administrators have reported compatibility problems with those early patches. more»
Moore, the creator of the popular Metasploit hacking toolkit has become the victim of a computer attack. It happened on Tuesday morning, when Moore's company, BreakingPoint had some of its Internet traffic redirected to a fake Google page that was being run by a scammer. According to Moore, the hacker was able to do this by launching what's known as a cache poisoning attack on a DNS server on AT&T's network that was serving the Austin, Texas area. One of BreakingPoint's servers was forwarding DNS traffic to the AT&T server, so when it was compromised, so was HD Moore's company. more»
The existence of the DNS flaw was revealed earlier this month by security researcher Dan Kaminsky and the code that could act as a blueprint for an attack via the flaw was published last week by Metasploit. On Friday, a user named James Kosin posted an excerpt from a server log to a Fedora Linux mailing list, claiming it proved attacks based on the DNS flaw had begun. Kosin post reads... more»
On Tuesday July 8, CERT/CC published advisory #800113 referring to a DNS cache poisoning vulnerability discovered by Dan Kaminsky that will be fully disclosed on August 7 at the Black Hat conference. While the long term fix for this attack and all attacks like it is Secure DNS, we know we can't get the root zone signed, or the .COM zone signed, or the registrar / registry system to carry zone keys, soon enough. So, as a temporary workaround, the affected vendors are recommending that Dan Bernstein's UDP port randomization technique be universally deployed. Reactions have been mixed, but overall, negative. As the coordinator of the combined vendor response, I've heard plenty of complaints, and I've watched as Dan Kaminsky has been called an idiot for how he managed the disclosure. Let me try to respond a little here, without verging into taking any of this personally... more»
In the last few weeks we've seen two very different approaches to the full disclosure of security flaws in large-scale computer systems. Problems in the domain name system have been kept quiet long enough for vendors to find and fix their software, while details of how to hack Transport for London's Oyster card will soon be available to anyone with a laptop computer and a desire to break the law. These two cases highlight a major problem facing the computing industry, one that goes back many years and is still far from being unresolved. Given that there are inevitably bugs, flaws and unexpected interactions in complex systems, how much information about them should be made public by researchers when the details could be helpful to criminals or malicious hackers? more»
One day after a security company accidentally posted details of a serious flaw in the Internet's Domain Name System (DNS), hackers are saying that software that exploits this flaw is sure to pop up soon. Several hackers are almost certainly already developing attack code for the bug, and it will most likely crop up within the next few days, says one security expert. The author of one widely used hacking tool said he expected to have an exploit by the end of the day Tuesday. more»
Whatever you think the answer is (typically about ten bucks), the answer is likely to change radically for the worse, based on new contracts that ICANN is planning to approve. On July 28th ICANN posted proposed new contracts for .ORG, .BIZ, and .INFO, for a public comment period that ends four days from now, on the 28th. There's a lot not to like about these proposed contracts, but I will concentrate here on two related particularly troublesome areas, pricing and data mining. more»
Planning for a short trip to Hong Kong tomorrow reminded me of Jonathan Shea, something I wanted to blog about but was waiting for the hype around the new generic Top-Level Domains (TLDs) to cool down. Jonathan Shea is an old friend who is in-charge of ".hk". I had the pleasure to catch up with him in Paris ICANN meeting. Before Jonathan, let me talk about something related that happened in Paris. At the Cross Constituency Meeting, there was a presentation by the Anti-Phishing Working Group (APWG). In summary, they were proposing working with registries to take down domain names that are suspected to be involved in phishing. more»
The Internet Corporation for Assigned Names and Numbers (ICANN) has just approved the relaxation of the rules for the introduction of new Top-Level Domains -- a move that could drastically change the Internet. The new decision -- some calling it of historic importance and others predictable -- will allow companies to register their brands as generic top-level domain names (TLDs). For instance, Microsoft could apply to have a TLD such as '.msn' and Apple apply for '.mac'. more»
Alexa Raad, CEO of .ORG, The Public Interest Registry, has been chosen as one of the leading women in Washington business by The Washington Business Journal's fifth-annual Women Who Mean Business Awards. ›››
.ORG, The Public Interest Registry is pleased to announce the next guest blogger for our DNSSEC FUD Buster series. Ram Mohan is the Executive Vice President, & Chief Technology Officer of Afilias Limited. Ram has led the strategic growth initiatives at Afilias Limited in registry services and security as well as new product sectors such as RFID/Auto-ID, global DNS and Internationalized Domain Names (IDNs). ›››
.ORG, The Public Interest Registry is pleased to announce of first guest blogger for our DNSSEC FUD series. John Kristoff works as a research analyst for Team Cymru, a Internet Security Research company based in Chicago specializing in the 'who' and the 'why' of Internet crime. ›››
The Registry Internet Safety Group (RISG) is a global group of responsible Internet related companies whose mission is to work collaboratively to combat Internet identity theft. Even though RISG is uniquely Registry focused, it includes both gTLD and ccTLD members. RISG is intended to complement and not duplicate existing Internet security efforts. ›››
The following post is based on a recent discussion .ORG had with Dan Kaminsky, a DNS expert best know for discovering a serious DNS bug, about DNSSEC and how it is a critical step toward bolstering Internet security. ›››
World's largest and most advanced video search engine, has chosen NeuStar's UltraDNS Managed DNS Services to augment the performance, reliability, and scalability of the blinkx network infrastructure and to take advantage of NeuStar's innovative suite of traffic management services. ›››
NeuStar today announced that The LEGO Group, a leading toy manufacturer headquartered in Denmark, has chosen NeuStar's UltraDNS Managed DNS Service to enhance the reliability of The LEGO Group's web-based operations, including a significant global e-commerce presence. ›››
nugg.ad, a German company based in Berlin that provides an application service provider (ASP) solution for predictive behavioral targeting, has chosen NeuStar's UltraDNS Managed Services to bolster the scalability and reliability of nugg.ad's DNS infrastructure. ›››
Attacks on the security of the Internet have been much in the news lately, and there is an increased urgency to take the technical steps to combat these attacks. .ORG has been doing its part to lead this process by taking introductory steps to implement DNSSEC (Domain Name System Security Extensions)... In order to make DNSSEC effective, there is one additional step that is needed -- "signing the root". ›››
NeuStar has announced that Spam Arrest, a Seattle-based company that efficiently monitors and stops automated junk email, has chosen NeuStar's UltraDNS Managed DNS and Traffic Management Services to support the delivery of services to Spam Arrest's global customer base. ›››