DNS SUCKS - Ok I Said It - Now What - Talk to Trusted Sources Until PAT mode is Fixed

A new flaw has sharpened the debate over how to come up with a long-term solution to the broader problem of the lack of security in the Domain Name System, which was invented in 1983 and was not created with uses like online banking in mind or huge internetworked enterprises and service providers.

When you see John Markoff of the NYTimes explaining to normal people that there are DNS problems you know the suckiness of DNS has gone mainstream.

I blogged yesterday that Cisco firewalls were affected and rendered the DNS patch useless. Well that was true, BUT it’s not just Cisco - it’s everyone. There is a bigger picture. DNS sucks. There is too much legacy and critical infrastructure that is more important then some sort of url rewrite and a hacking of a 16 bit port translation (or PAT - Port Address Translation). It’s called ‘industrial strength’ software. Companies like Infoblox and Nominum have big businesses because they took the DNS technology and scaled it with security. Can DNS vendors do more with it or has it reached it’s peak? Either way this DNS shit is a big problem for IT and network operators. It seem like they are chasing too many holes out there. Is it time to rip and replace. I’ll keep my official opinion to myself.

Ok I’ll say it DNS sucks! This latest firewall PAT issue rendering the DNS patch useless is the latest example.

Richard Kagan of Infoblox chimed in this morning. Richard said “DNS is just a protocol. The challenges really tem form how it is administered. Companies haven’t historically treated DNS as a strategic asset and this recent vulnerability will likely focus a few more minds on DNS security, architecture, design, implementation and adminstration as well as the implications of past decisions.”

Firewall PAT Problem with DNS Patch

Regarding the firewall (and PAT devices), customers don’t have to really worry about this - just do the patch and get the upgrade from Cisco and others. The big deal is that there is a ton of critical infrastructure built ontop of the feeble DNS. We are talking about big businesses, big service provider networks, big data networks powering mobile devices, cable companies, etc .. all that rely on DNS.

Regarding the Cisco firewall problem - wait for the upgrade. The way Cisco firewalls allocate source ports and rewrite source ports in their PAT devices is sequential. Although this is an issue, it’s not a straightforward issue. There are many instances where multiple devices that rely on those ports need to run in legacy mode. Cisco told me today that they are releasing an option so that PAT can be configured to use a random number generator for their PAT mode devices. Some other disagree and say that there are more secure ways to go than with Cisco.

Depending on the implementation the firewall PAT problem can negate the DNS patch. Cisco will be changing their PAT mode and moving to “hardening of the PAT feature”. The upcoming configuration option will give customers the ability to make the PAT mode more random. The question will remain does this make the devices more secure? The PAT mode is 16 bit (very breakable). I’m waiting to hear.

I really like Cisco, but this has to be a huge pain in the ass for them (or anyone in IT networking). Is this a case of stupid DNS tricks or is this a bigger issue.

I’ll say it again DNS Sucks. This firewall PAT issue isn’t just a Cisco problem. Others are affected. In fact a story out of the UK today shows it’s also Checkpoint.

I am thankful that Cisco spent the time to talk to me. They were great and very candid and transparent. Maybe they could do a guest post to explain more. Or better yet get Ralph Droms (he and Cricket Lui wrote the book on DNS).

This DNS stuff is a mess. A patch will be released in a few weeks that will change the PAT from sequential to random.

The bigger picture is that DNS needs to be replaced. I can’t wait to have some experts talk with me more on this. It’s worth getting to the bottom of this issue.

Cisco says advises their customers to make sure that their devices only talks to a trusted source until the patch comes out in a few weeks”.

If you’re a Cisco customer then go to this link for DNS best practices for dealing with this issue.