Slashdot Mirror

← Back to Stories (view on slashdot.org)

Secure DNS a Hard Sell

Posted by ScuttleMonkey on from the underdeveloped-ideas dept.

ebresie writes "Computer Business Review Online has an interesting article about the lack of acceptance for Secure DNS." From the article: "Speaking during a workshop on the technology, Keith Schwalm of Good Harbor Consulting, a former US Secret Service agent, said that even the financial sector, traditional security early-adopters, are not rushing DNSsec."

4 of 142 comments (clear)

  1. bigger fear by keithhackworth · · Score: 5, Interesting

    I run my own DNS server at home because I have a bigger fear that my ISP's DNS may be hijacked rather than my bank. It seems like that would be the easiest hole to crack for hackers.

    I would hope that if my bank's DNS servers were hijacked that they would work with me to get any money I lost back. However, if my ISP's DNS servers were hijacked, I don't know that the bank would be as cooperative.

    Keith
    --
    Support bacteria. They're the only culture some people have.
  2. Re:Nice, but not necessary by razvedchik · · Score: 5, Informative

    I disagree. What you are talking about is the research part of a good or determined attacker. In this instance, the zone transfer is just more information on what to attack. This definitely is not a big risk.

    However, there is much more associated with DNS that you can do.

    If I am a user, what I want is 100% confidence that I am connecting to the correct server. I'm trusting in the DNS chain all the way up to the root server and then on to the authoritative server. What's to keep an attacker from routing me somewhere that I don't want to go?

    A good example is a piece of malware that changes the local DNS cache to point ebay to another server that does a man-in-the-middle attack? To the end user, it's completely invisible.

    It's fairly easy to do on a LAN by using one of the mitm tools. What you are doing is setting up a rogue DHCP server and DNS server, then you give the target computer a lease with a machine you control as the DNS server. If you control DNS, you can tell them to go anywhere you want, including sniffing their traffic, altering the content of the traffic enroute, basically whatever you want.

    --
    I do what the voices on my console tell me to do.
  3. Same as Sony by Nom+du+Keyboard · · Score: 5, Insightful
    While the vulnerabilities in the DNS are well known, the absence of widespread attacks, regulations, and proven business models are holding back DNSsec adoption

    One could have said the same thing about music CD DRM (e.g. the Sony XCP RootKit) -- or the 9/11 terrorist attacks for that matter.

    There's not a problem with it -- until there's a big problem with it. Then everyone asks why wasn't something done to protect us against it?

    --
    "It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
  4. dnssec and nym ala dan by arakis · · Score: 5, Interesting

    Dan is the man in DNS. He pretty much explains why they don't have implementation here:

    http://cr.yp.to/djbdns/forgery.html

    You might not like Dan, but he doesn't get things wrong very often.