Some security consultants are now saying that these DNS vulnerabilities represent a flaw in the DNS protocol itself, and cannot be eliminated entirely. At least one leading expert has said "...thinking that software can protect you... with the current DNS protocol is like thinking that shorts and a T-shirt will protect you from the winter wind in Chicago."
The comment appeared in a message posted to "bugtraq", a security related mailing list.
Security advisories released in April 1997 by Secure Networks Inc. and Core Seguridad outlined, and addressed, the same vulnerability as was documented and published by CAIS and CERT last week.
A simple fix, which could have been used minimise the vulnerabilities, was determined years ago as a result of discussions and development that occurred in response to the 1997 advisories being released.
A security "patch" for BIND was written to resolve issues raised in the 1997 advisory. Comments in the code make note that "...brute force attempts are entirely feasible" and then go on to make a very simple technical note of how to minimise the impact of the vulnerabilities.
It is unclear why so many DNS implementations are still vulnerable to an attack that was clearly outlined in advisories and discussions more than five years ago.
Domain Name Servers (DNS) match Internet domain names to numerical Internet Protocol (IP) addresses, somewhat like a phone book matching names to phone numbers. The most recently reported vulnerabilities make it possible for an attacker to fudge the information contained in a DNS, hence redirecting Internet users to bogus IP addresses.
So much for the much-touted theory that open-source software will save us from all these woes; the truth is that most newbie script-kiddies who want to play with Linux and other non-MS OS's can't program for nuts - which includes reading (let alone fixing!) the code of other programmers.