Re: _DNS_ security problems

• To: Bob Denny <rdenny@dc3.com>
• Subject: Re: _DNS_ security problems
• From: Dan Stromberg <strombrg@test34a.acs.uci.edu>
• Date: Mon, 26 Feb 1996 09:35:47 -0800
• CC: Dan Stromberg <strombrg@test34a.acs.uci.edu>, EKR <ekr@terisa.com>, www-security@ns2.rutgers.edu, ekr@itech.terisa.com, smb@research.att.com
• References: <Pine.SUN.3.91.960225074843.21286B-100000@test34a.acs.uci.edu> <9602260606.ZM608@solo.dc3.com>

Bob Denny wrote:
> 
> On Feb 25, Dan Stromberg <strombrg@test34a.acs.uci.edu> wrote:
> > Subject: _DNS_ security problems
> >
> > [...] The DNS should still be fixed, it's just a longer-term,
> > (much) more time-consuming fix.  If there is no longer a list of what
> > addresses have been delegated where [...etc.]
> 
> Yes, this is a topic for the bind list. I disagree that the solution lies in
> modifying DNS, which works very well for its intended purpose, and not very
> well as a secure identification mechanism (sometning is was _not_ designed to
> do). The protection, in my opinion, needs to be at a higher level. IMHO.

The DNS was intended to provide names.

IP(v4) was intended to pass around data, anything you put overtop of it.

Neither were quite intended for (or at least, not quite _built_ for)
high security.  But they're frequently used with the assumption of
_being_ secure.  People with firewalls feel safe behind their firewall,
but they frequently bring DNS data in from the outside, unchecked - and
now they're beginning to bring in java data, as well.

The sudden realization that data is coming in from the outside, has
people pointing fingers at the technology that came concomittant with
the realization, tho it is really not an issue strictly of that
technology.

> In any case, couldn't Java do a getpeername() on the socket used to grab the
> 'master' class? Then it could use the peer IP address as the source host,
> refusing to load from or connect to any other IP address. Forget even _using_
> DNS except to get the initial connection to the applet source. It seems
> unlikely that the IP address of the host could (or should be supported to)
> change during the class group loading sequence. I suppose it could change
> during the time that the applet is running, but I'd think it would be OK for
> the applet to fail in that case also.

Yes.  It should do a getpeername and leave the DNS out of it.  I believe
this was sun's proposed fix (as alluded to on this list).

I've been chasing around the (apparently not well explored?) issue of
whether or not doing a gethostbyaddr() adds much to the security of an
application that _does_ use DNS for authentication.  The bind authors
apparently feel that PTR records should be treated as second class
citizens within the DNS, but there are apparently a lot of folks around
the net building security systems that hinge on their usage.

• _DNS_ security problems
• From: Dan Stromberg <strombrg@test34a.acs.uci.edu>
• Re: _DNS_ security problems
• From: Bob Denny <rdenny@dc3.com>

• Previous: IBM-ERS Alert: Vulnerability in NCSA/Apache CGI Sample Code
• Next: Re: _DNS_ security problems
• Index(es):
  • Index
  • Thread