In the process of writing MaraDNS, I did a lot of online research about DNS and how DNS worked, including reading Dan Bernstein’s then excellent notes about protecting DNS servers from spoofing attacks.
Indeed, I noted, back in 2001—the year I started implementing Mara—that MaraDNS used cryptography to protect her from a “spoofing attack”.
This spoofing attack was only theoretical back in 2001. It did not become a practical attack for over half a decade.
In 2008, Dan Kaminsky finally found a way to implement the spoofing attack I went to some effort to protect MaraDNS from back in 2001.
This attack got a lot of attention and press at the time. MaraDNS was not vulnerable to the attack, but other DNS servers were vulnerable.
This attack was very helpful in giving MaraDNS more press and attention in an era when getting a job in the tech industry was very difficult. Indeed, two years later, I was able to get two job offers in a very slow economy because of my work on MaraDNS.
Writing a DNS server and making it secure is a lot of work behind the scenes. The work I did protecting MaraDNS from the attack Kaminsky implemented required adding an entire cryptographic library to MaraDNS’s code so she would not be vulnerable to the attack. Since this code did not add any shiny features to MaraDNS, it was not visible to users of the software until Kaminsky’s attack.
I appreciate Kaminsky going to a lot of effort to make what was a theoretical attack practical.
Rest in peace, Dan Kaminsky, and prayers for his family and friends. He was a very good colleague and someone who I am honored to have interacted with. It has been a very deep honor to interact with Kaminsky while he was still with us.
Last month, I released MaraDNS 3.5.0019. This is MaraDNS 3.5.0018 with a one line patch added to allow the Zoneserver daemon to run better under systemd.
The picture is a self-portrait of Kaminsky that he released under a Creative Commons license. I have altered the work to make it a picutre I can include in my blog.
Comments for blog entries can be seen in the forum.