Comet Blog
Ramblings of Comet--Berkeley

Internet Design Vulnerability - DNS and BIND

Tuesday, August 26, 2008   11:20:00 AM PDT

The internet was originally designed by military scientists to be invulnerable to physical attacks on centralized switching/routing facilities.

So the internet does not rely on a centralized routing system but instead relies on a distributed routing system.

Where were the issues of identification, authorization, etc that are so vital to business accounting covered?

These business/security issues were never in the original design...


DNS, domain name resolution, is a critical piece of the internet. It is the process by which a domain name such as "" is turned into a number such as

It is something that everyone's web browser does silently every time a web link is accessed and most people don't pay much attention to it.

Every time you ask your web browser for a page it goes out to the internet, typically to a server called "BIND" that is provided by your ISP, internet service provider. BIND takes the domain name that the web browser provides and returns back an ip address. It takes and returns

D. J. Bernstein hated the internet standard BIND program for DNS resolution so much that the decided to write his own DNS resolver, djbdns:

I was curious about why he re-wrote BIND and had no particular opinion about it until I saw the recent debacle with DNS BIND caching this July:

And the fix announced at the August Defcon and then the unfix reported by a Russian hacker in the New York Times:

Bind has lots of problems and they are not just programming problems but basic design problems.

To quote the NY Times article, "The root of the problem lies in the fact that the address system, which was invented in 1983, was not meant for services like electronic banking that require strict verification of identity."

djbdns is a step in the right direction but it is not enough as the current DNS system is flawed from the beginning and will always be vulnerable to forgery.

As D. J. Bernstein says in his article on DNS Forgery, "An attacker with access to your network can easily forge responses to your computer's DNS requests."

He suggests using public key cryptography and maybe that is the best solution for now.

Of course the ideal solution is to not do banking/accounting/etc at all on a public networks, but only on private networks.

Back to Comet Blog.