Did you click on opendns on the Cert KB article's list? it is explained there...Well at least as best as you are probaly going to get without Opendns potentially giving hackers too much info..

"OpenDNS was never vulnerable to this class of attack at any time. Our security model incorporates a number of security enhancements not commonly found in DNS implementations above and beyond the use of a strong TXID and source port randomization."
http://www.kb.cert.org/vuls/id/AAMN-7GDQAL

What no Mention of Dan Kaminsky? After all he is the 1 who discovered the Flaw, and is mentioned in most of your links...http://www.doxpara.com/?s=opendns, He himself suggests OpenDNS.

@infinity306

"What no Mention of Dan Kaminsky? After all he is the 1 who discovered the Flaw, and is mentioned in most of your links...http://www.doxpara.com/?s=opendns, He himself suggests OpenDNS."

Well, Dan didn't really discover THE flaw, he discovered a variation on a well known DNS cache vulnerability. What Dan did that others had so far failed to do, was to whip up sufficient industry interest and help liaise to get a fix applied. Actions for which he was rightly applauded.

As Hubert points out in his blog of July '08 [ http://blog.netherlabs.nl/articles/2008/07/09/some-thoughts-on-the-recent-dns-vulnerability ] the Kaminsky 'patch' was all well and good, but the broader issue was known about many years before then - to the point where Bernstein's 1999 release of djbdns already contained countermeasures to it and Hubert himself wrote a blog about a proposed RFC in May '06. Disappointingly, nearly three years later, it still only has 'Auth48' status but does now at least have a RFC number (http://tools.ietf.org/html/rfc5452)

Furthermore, the original question asked in this thread related to comments made by Hubert and Mockapetris _after_ the Kaminsky patch was applied. They postulated that the patch didn't absolutely stop an attack from being successful, but rather extended the probable time required from minutes to hours (given sufficient bandwidth.)

So, no mention of Dan although I admire the man's contribution(s) to DNS security.

My request was for confirmation that OpenDNS isn't vulnerable to either the specific 'long-and-hard' variation of the 'Kaminsky' vulnerability nor to DNS cache spoofing / poisoning / call it what you will in general.

I'll re-iterate that I don't think OpenDNS is vulnerable and from an operational perspective I will continue to use it and recommend it.

From an academic perspective however, I would like to see some comment and/or confirmation from OpenDNS themselves with, if possible, explanations as to why they are secure.


ATB,
Ian..

miked

"We also have countermeasures we will not be discussing publicly."

Well, that is somewhat re-assuring, but claims of security by obscurity are not 100% ideal. Do you use BIND, Unbound or your own DNS resolver/cache software? Quickly viewing your site I didn't notice where you state that.

Would OpenDNS be planning to make use of edns-ping to secure the stub resolver <-> OpenDNS hop against spoofing? While stub resolvers are more difficult to attack than public resolvers, they typically only have 16 bits of protection against spoofing, since port randomisation is either not implemented or reversed by NAT devices, which is less than ideal.

George Barwood

Hi miked,

"Have you seen the IETF draft that Bert co-authored with our CTO?"

Yes, thanks to it being mentioned it earlier in the thread. (Thanks, maintenance :-)

David (Ulevitch) has been kind enough to reply to me off-board. Amongst other things, he tells me he hopes to make a comment here soon.


ATB,
Ian..