Putting the Web in a Bind - Page 4

Microscopic Roots

The main problem with BIND is its roots. It was designed for a network that was microscopic by todays standards — a few nodes at the Department of Defense and a handful of universities. Its users were select government officials and university professors, who exchanged thousands of bits of information, not billions of dollars in commercial transactions, each day.

BIND began as an open source code project, presided over by John Postel and Paul Mockapetris. They eventually moved on, and responsibility for the BIND project fell onto the shoulders of Vixie. BINDs volunteer developers frequently had to modify and expand the code, trying to keep it abreast of the Internets constantly growing needs. As a result, BIND is complex. The name-to-IP address translation engine alone is 39,000 lines of code.

Secure software "has well-constrained behaviors and small subcomponents," observed Theo de Raadt, head of the OpenBSD (Berkeley Unix) project, in an Internet chat discussion of BIND vulnerabilities.

Given the wide entrenchment of BIND vulnerabilities, "a really nasty bug could hit really hard," said de Raadt. Fear of that as yet unborn bug is growing.

BIND is undergoing a major rewrite in Version 9.0, but it may take such a bug to encourage a broadbased surge of BIND upgrades.

For overall security to be improved, many parties need to upgrade their versions of BIND concurrently, but answering that need collides with the Internets tradition of self-regulation. Thus far, the ethos of the Internet, said Jody Patilla, chief analyst at Metases, a managed security provider, has been: "If youre going to run with the big dogs, youre going to have to take responsibility for yourself," including patching your DNS server.

Incognito Software supplies a commercial substitute for BIND, called DNS Commander, which is available only as binary code, or compiled ones and zeros, not source code. That means DNS Commander is more secure, said Chief Executive Patricia Steadman, because it makes it more difficult to detect holes in the software. At the same time, commercial implementations of DNS, such as Microsofts Internet Information Server, are known to contain holes of their own, Riptechs Dunphy said.

That means the health of most servers on the Internet rests "on the conscientiousness of a handful of overworked individuals" at small businesses, dot-com start-ups, educational organizations and other lightly-staffed IT organizations, Patilla said.

If BIND users need prompting to upgrade their servers, they should be required to register with the ISC before receiving their BIND download, suggested Dave McClure, lobbyist at the U.S. Internet Industry Association. If they did so, security advocates might be less inclined to lean on ISPs to provide more notification and prompts to update, he said.

But Vixie countered, "Let ISPs do it." Because ISPs already have a relationship that involves serving their customers traffic, "we have recommended that ISPs probe their customers name servers, looking for well-known problems and notify affected customers of the need to upgrade," he said.

"Such probing by the Internet Software Consortium would be a privacy violation, but being probed by ones own ISP is not a problem," he said.

When the ISP is providing the DNS service, its not an issue, since it has set up and is managing the server, several ISPs agreed. But in many cases, customers insist on maintaining their own name servers. Large enterprises, in particular, like to maintain their own master DNS records, said Mike Matthews, security master at Exodus Communications, a large Santa Clara, Calif., ISP and colocation services provider.

"If my ISP were to scan my corporations DNS server, I would hit them with a lawsuit or promise them a visit from the FBI," said BindViews Blake.

Exodus upgraded its 60 DNS servers to a safe version within two days of the Jan. 29 CERT alert. "We are constantly polling our servers as a matter of course," Matthews said. Exodus offers an assessment of the security of a customers servers, including its DNS server, which means reviewing the version of BIND running. The solution for customers that dont upgrade, he said, is to educate them on the need for an outside service, such as Exodus. His firm charges $2,750 to perform the service.

Despite the shared need, however, no one can point to an authority, other than the ISC, to enforce the upgrade process, and Vixie made clear that the only central database it will maintain is one where users voluntarily "opt in."

"From the military point of view, central control is good. But it hasnt worked that well with the Internet," said Dunphy, a former U.S. Air Force lieutenant who worked at the Department of Defenses version of CERT.

Even if the ISC were willing to poll users and send threatening e-mails to wayward sites, "what are you going to do — shut down a business for noncompliance?" Dunphy asked. Disabling the DNS server would block traffic to the Web sites behind it, and any organization that might do that in the U.S. would provoke a storm of protest from other countries, he noted.

Without some regulation of BIND, however, denial-of-service attacks launched from many servers and other BIND exploits are likely to get worse, not better. "If you do have a BIND server, you need to religiously monitor it. If nobody knows about it, thats why theyre attacked. They make great victims," Dunphy said.