A excuse for drinking Champagne..

DNS is 20 years today!

http://www.wired.com/news/technolog...2,59348,00.html

Happy Birthday!

Did any one ever experienced DNS Spoofing? If yes, how you did solve the problem, and what lead your system to spoofer?

Thanks

Thanks to Mr. Paul Mockapetris for giving non biological birth to DNS

20 years old!! No wonder it's falling to bits!

Does anyone know when/what the replacement will be?

Mr Stumpy,
Replacement comes with the requirement.
Would you please kindly tell us a reason of replacement of current DNS schema?

Otherwise, we need to call Benjamin Franklin to explain his words, when he said: " It's common for men to give pretended Reason instead of one real one".

I only hinted at why we should replace DNS, becuase i thought everyone here would know why....

May I suggest you (and anyone else with an interest in IT) subscribe to a few IT news services (theregister, slashdot, zdnet).

There is a MULTITUDE of problems with DNS. Esp. Recently with all the hijacking, etc... plus the fact that the entire internet (how many BILLIONS of computers?!) rely on 11 machines for their addressing. As seen late last year and earlier this year, when some clever chaps almost took down the net (inadvertantly, using Slammer). They managed to take out something like 6 or 7 or the root DNS servers... Not a bad effort considering it wasn't the focus of their exercise.

More info on those attacks (Slammer related):
http://slashdot.org/article.pl?sid=...206&mode=thread
http://zdnet.com.com/2100-1107-979650.html

General DNS Flaws (from http://multivac.cwru.edu/dns/problems.html):

DNS was designed to be extensible for new applications via new record types, but the protocol mandates case-insensitivity for domain names. This is useful for hostname lookups, but it could be handled purely on the client side. Building it into the protocol reduces the usefulness of DNS: e.g., looking up the name of the host with address 119.120.121.122 could have use the name z.y.x.w.in-addr.arpa instead of the slightly lengthier and costlier 122.121.120.119.in-addr.arpa.

CNAMEs are unnecessary: two domain names can have the same records without building this referencing into the protocol. CNAMEs complicate the local lookup algorithm for servers. CNAME records might also form a loop, or they might refer to nonexistent names.

A misconfigured or malicious server can respond to a query with some false name server or address records appended to the response. According to the original RFCs, clients should trust these records. Fortunately, modern clients trust records from the cwru.eduname servers only when they belong to names in the cwru.edu domain. BIND adopted a different solution to this problem earlier on - credibility rules, which have their own problems - and has kept those rules even after adopting the simpler rule given above.

NS records contain hostnames, not addresses. As a result, a server may give a referral to another name server without also giving its address. If the name server's name is inside the domain being delegated, the parent is required to provide an address, but in other cases, the child server may be unreachable.

DNS over TCP is slow and prone to denial of service attacks, so it is generally not used except for zone tansfers. DNS over UDP is vulnerable to response spoofing: a client can't tell where the UDP packet came from, so an attacker who can sniff requests can easily send false responses. If the requests aren't sniffable, an attacker can still send false responses, but ey has to guess the query ID and the port the query was sent from. Incorrect guesses incur no penalty for the attacker, however, and BIND uses the same port for all queries.


To name a few

Stumpy
It was a better posting.

Hopefully more members will perticipate to discuss this issue with many more reasons why not to trust(or rely on) those 11 servers (infact, now a days they are 13).

As reason is a Rebel unto Faith, so Passion unto Reason.

Thank You.

Have you got a book of quotes next to you iahmed?

Bet it doesn't have this one:

Tango:"What's fubar?"
Cash: "****ed Up Beyond All Recognition!"

Ahh - 80's movies... so much wisdom.

Stumpy,
Yes, I did watch the movie. But can not agree with Cash.

Because, to accept an unorthodoxy is always to inherit unresolved contradictions.

When the new IP scheme is released (using 5 address positions instead of 4) they are supposed to be redesigning DNS partially, if not entirely, and hopefully they can fix some of the problems that stumpy mentioned, if not all. Back when the net was a baby, DNS only needed 11 machines to run, because there weren't that many computers on the web, so why would we need more than that? It's kind of like Mr. Gate's most famous quote "640k is all the memory we will ever need!" Hindsight is always 2020...


But also remember, with the emmergance of all of the new top level domains, they are talking about implimenting a couple of new servers as well.

And I think that stumpy is right, when slammer took down 60% of the internet in only a few hours, the designers of DNS definately saw the problems with it's current scheme... Kind of a "Oops.. damn, I didn't know that could happen" heh.. I keep telling people, if it can be built, it can be hacked.. it's just a matter of time. Hopefully sometime soon they will either fix or release something better...