Slashdot Mirror

← Back to Stories (view on slashdot.org)

Perils of DNS at RIPE-52

Posted by ryuzaki0 on from the don't-ping-me-there dept.

An anonymous reader wrote in to say that " The RIPE meeting got off to a good start yesterday (for those of you outside Europe, RIPE is the European counterpart to ARIN). Emin Sirer from Cornell presented his study of DNS vulnerabilities. The results are staggering: the average name depends on four dozen nameservers, 30% of domains are vulnerable to domain hijacks by simple script kiddies, 85% of domains are vulnerable to hijacks by attackers that can DoS two hosts. The lesson: DNS must be managed by professionals, and the pros have to pay attention to the DNS delegation graph when they set up name servers."

3 of 71 comments (clear)

  1. How many lookups to get to the center? by Intron · · Score: 3, Insightful

    To look up www.futurequest.net (for example) requires:

    Ask one of the 13 root servers who is nameserver for .net
    Get back (A-M).GTLD-SERVERS.NET, they thoughtfully include IPs
    Now ask a GTLD who has futurequest.net
    Get back (ns1-ns3).futurequest.net, includes IPs
    Now ask ns1 who www is
    It provides IP for www is 69.5.6.116

    So I guess there were 30 IP addresses involved, but I don't see the arcane resolution problems that this paper talked about. Maybe .edu domains are a little more haphazard?

    --
    Intron: the portion of DNA which expresses nothing useful.
  2. Re:Associated paper with more details. by ??? · · Score: 3, Insightful

    None of these points attacks the core thesis of the paper, IMHO. The vulnerability stats were rough, and were only used tangentially to the argument. The argument is that in practice, there is a larger (and deeper) trust graph (and thus a larger attack exposure) associated with a given name than would appear to immediate observation. This should raise concern, regardless of the incidence of vulnerable DNS servers.

  3. Is it a problem or just redundant systems (good)? by khasim · · Score: 3, Insightful

    I was wondering that when I was reading the article.

    If you (correctly) configure your systems, you'll have 3 different DNS boxes on 3 different networks so any single problem won't take all of them out.

    Okay, that does mean that you've just increased your attack visibility by 3x, but ... so what?

    And yes, if an attacker can get control of 1 of those boxes and DDoS the other 2 then he can redirect those queries to whatever box he wants to.