Slashdot Mirror

← Back to Stories (view on slashdot.org)

Secure DNS a Hard Sell

Posted by ScuttleMonkey on from the underdeveloped-ideas dept.

ebresie writes "Computer Business Review Online has an interesting article about the lack of acceptance for Secure DNS." From the article: "Speaking during a workshop on the technology, Keith Schwalm of Good Harbor Consulting, a former US Secret Service agent, said that even the financial sector, traditional security early-adopters, are not rushing DNSsec."

10 of 142 comments (clear)

  1. Nice, but not necessary by ehaggis · · Score: 4, Interesting

    DNS, if configured correctly, works well. Blind zone transfers and poor setup are usual culprits with exploits. A secure(r) DNS would be nice, but I think there are bigger security fish to fry.

    --
    One ring to bind them - should probably have more fiber and less rings in their diet.
    1. Re:Nice, but not necessary by razvedchik · · Score: 5, Informative

      I disagree. What you are talking about is the research part of a good or determined attacker. In this instance, the zone transfer is just more information on what to attack. This definitely is not a big risk.

      However, there is much more associated with DNS that you can do.

      If I am a user, what I want is 100% confidence that I am connecting to the correct server. I'm trusting in the DNS chain all the way up to the root server and then on to the authoritative server. What's to keep an attacker from routing me somewhere that I don't want to go?

      A good example is a piece of malware that changes the local DNS cache to point ebay to another server that does a man-in-the-middle attack? To the end user, it's completely invisible.

      It's fairly easy to do on a LAN by using one of the mitm tools. What you are doing is setting up a rogue DHCP server and DNS server, then you give the target computer a lease with a machine you control as the DNS server. If you control DNS, you can tell them to go anywhere you want, including sniffing their traffic, altering the content of the traffic enroute, basically whatever you want.

      --
      I do what the voices on my console tell me to do.
  2. Hard to understand by Mr.+Flibble · · Score: 4, Insightful

    Enough of my customers don't understand REGULAR DNS, nevermind secure DNS. The only way that this is likely to be adopted is to have the top level name servers eventually require the secure extensions. I doubt, however, that that will happen.

    As it is now, I have my users going to their registrars and "deleting the 'A' records because: "There is no A on my website."

    --
    Try to hack my 31337 firewall!
  3. bigger fear by keithhackworth · · Score: 5, Interesting

    I run my own DNS server at home because I have a bigger fear that my ISP's DNS may be hijacked rather than my bank. It seems like that would be the easiest hole to crack for hackers.

    I would hope that if my bank's DNS servers were hijacked that they would work with me to get any money I lost back. However, if my ISP's DNS servers were hijacked, I don't know that the bank would be as cooperative.

    Keith
    --
    Support bacteria. They're the only culture some people have.
    1. Re:bigger fear by Dolda2000 · · Score: 4, Interesting

      That oughtn't be a great problem, however, since your bank (hopefully?) uses a SSL certificate to ensure you that you are on the right web site. If you click past the SSL warning that says that the certificate doesn't match the domain name when you go to do some on-line banking, you really shouldn't be all too surprised to find all your money gone the next day.

    2. Re:bigger fear by hal9000(jr) · · Score: 4, Informative

      But if your ISPs DNS has been poisoned, then the attacker can resolve any host to the IP address of thier choice. If I control your ISP DNS server and I tell it that www.amazon.com resolves to 192.168.10.1 which is a web server I control, then I can send you a certificate claiming to be from www.amazon.com, and the DNS name will match the FQDN in the certificate. That wouldn't be a problem.

      You will get a error dialog in the browser because YOUR browser certificate store probably doesn't have the signing CA certificate the attacker used to create the SSL cert for the rogue web server in the first place. But that is a different problem altogether.

    3. Re:bigger fear by Agelmar · · Score: 4, Insightful

      This is a valid point, especially when you look at the number of small fish in the pond. You have small registrars, you have small CAs (do you really trust Unizeto? I don't even know what it is, and yet by default Mozilla gives it the same trust as it gives Verisign.) Even so, I posit that it really doesn't matter how much trust I can place in the CAs and the registrars, because the (unfortunate) end result is that most users, when presented with a certificate error, simply click OK. We train users to do this. Many corporate and educational entities set up their own CAs, and then when users see a message in their browser about an untrusted CA, the tech staff just tells them to 'click ok'. As such, the user is now conditioned to click 'OK'. What have we done? Totally diminished the usefulness of the trust aspect of SSL.

  4. Same as Sony by Nom+du+Keyboard · · Score: 5, Insightful
    While the vulnerabilities in the DNS are well known, the absence of widespread attacks, regulations, and proven business models are holding back DNSsec adoption

    One could have said the same thing about music CD DRM (e.g. the Sony XCP RootKit) -- or the 9/11 terrorist attacks for that matter.

    There's not a problem with it -- until there's a big problem with it. Then everyone asks why wasn't something done to protect us against it?

    --
    "It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
  5. dnssec and nym ala dan by arakis · · Score: 5, Interesting

    Dan is the man in DNS. He pretty much explains why they don't have implementation here:

    http://cr.yp.to/djbdns/forgery.html

    You might not like Dan, but he doesn't get things wrong very often.

  6. Actually, existing DNS can be very insecure... by hkhito · · Score: 4, Informative
    ... even at very well managed sites. This recent paper from Cornell lays out some of the problem, showing how even the www.fbi.gov name can be hijacked by hacking in to seemingly completely unrelated servers, such as one of the name servers at telemail.net.

    So for example, to hijack www.hsbc.com, you don't have to worry just about hsbc's name servers, com's name servers, and the root name servers. You also have to worry about the other servers that hsbc and com have deligated to, and the servers that they have deligated to, and on and on.