What Could You Do With a Bogus Root Name Server?

Barlaam notes a post from the Renesys Blog which follows up on news they discussed a couple weeks ago about the 'identity theft' of a root name server. To emphasize the issue of safeguarding such a system, they've now posted an explanation of exactly how the situation could be exploited. "It shouldn't be too hard to see that you could end up answering every DNS query from an organization that came to you for an updated list of root name servers. Every one. And you might end up doing this for a very long time, especially if your answers were largely correct. An attack like this would have no resemblance to the YouTube hijack, where the entire planet gets a blank page and it's immediately apparent that something isn't right. Obvious events like this will continue to occur, and we'll continue to resolve them relatively quickly. But as this incident demonstrates, DNS hijacks are far less obvious and potentially far more harmful."

Its simple...

[Indes]

.. do what we do every night.. try to take over the world!!

(Seriously, Imagine borrowing every bank's front page in North America .... You could be cashing in big time..... )

Re:Its simple...

Or, you could butter it! Did anyone else read What Can You Do With A Shoe? as a child?

Re:Its simple...

I would reroute all of 4chan's traffic to fbi.gov

Re:Its simple...

Reroute all of fbi.gov's traffic to 4chan

Re:Its simple...

[HTH+NE1]

What could you do with a bogus root name server
What could you do with a bogus root name server
What could you do with a bogus root name server
Er'ly in the mornin'?

Re:Its simple...

[treeves]

That's got too many syllables for the tune.

Re:Its simple...

[HTH+NE1]

That's got too many syllables for the tune. It didn't stop Band-Aids from adding the word "brand" to their jingle. Just double-beat "Drunk-" and "-lor" for "bogus" and "server"; it's a bit of a tongue-twister, but that's part of the fun! Especially when you continue it with the next verse:

Impersonatewindowsupdate and serve up malware
Impersonatewindowsupdate and serve up malware
Impersonatewindowsupdate and serve up malware
Er'ly in the mornin'!

Hmmm...

[cp.tar]

... so, you answer nearly all of them correctly.
Except for the precious few, which, say, redirect you to almost exact copies of pages which take your credit card data.

Or did I get it wrong?

Re:Hmmm...

[tomhudson]

You could send all Obama's web traffic to Clinton's web site ... oops, already been done!

Re:Hmmm...

[cjb658]

How about...redirecting ifpi.org to piratebay!

Oh wait, that's also been done.

easy

[circletimessquare]

i would redirect http://slashdot.org/ to http:///..org

yeah how funny is it now that the joke is on the other foot biatches!

Re:easy

[Odiumjunkie]

>i would redirect http://slashdot.org/ to http:///..org

Actually, I have a Firefox Smart Bookmark set up so that ./ in the location bar redirects to http://www.slashdot.org

Re:easy

[dextromulous]

Actually, I have a Firefox Smart Bookmark set up so that ./ in the location bar redirects to http://www.slashdot.org Interesting, is there some reason that you need to type /. backwards in order to have that work properly?

Re:easy

[IAmGarethAdams]

And not http://dotslash.com?

Re:easy

[Odiumjunkie]

>Interesting, is there some reason that you need to type /. backwards in order to have that work properly?

Nope, typo.

Re:easy

[Brad+Eleven]

I worked with a guy that who had shell aliases like "mkae","maek",etc. for "make" and other typos. A little goofy, but effective.

Re:easy

And once again, Opera has built-in support for what takes hours to done in Fx ;)
[Anon because I already moderated]

I've heard of this new technology...

[ZeroPly]

... whereby you can actually "sign" digital data so that it's clear where it came from. If somehow they could incorporate that into this whole "DNS" system, maybe it would fix the problem?

Re:I've heard of this new technology...

Digitally signing every DNS request? Good luck handling the computational load :)

Re:I've heard of this new technology...

[imipak]

I think the OP's referring to TSIG and it's variants.

Re:I've heard of this new technology...

[klapaucjusz]

DNSSEC has gone through three (3) mutually incompatible specifications. The DNSSEC people are claiming that the last revision really really works, honest, gov, and that all that remains to be done is deploying it.

But they don't appear to be deploying it on their own servers.

Re:I've heard of this new technology...

[klapaucjusz]

But they don't appear to be deploying it on their own servers.

I've just checked -- and the ISC do sign their zone. Sorry for the mis-information.

Re:I've heard of this new technology...

Digitally signing every DNS request? Good luck handling the computational load :)

You don't need to sign the requests, you need to sign the replies. And you only need to compute the signing once, and store the signed value.

Re:I've heard of this new technology...

Maybe they're using an unreleased fourth (4) incompatible specification.

Re:I've heard of this new technology...

[mpeg4codec]

DNSSEC in its current state would not prevent any of the attacks mentioned in the article. The root currently does not sign its zone, and as such there is no way to trace a secure delegation to a non-root zone.

The entire security of DNS as provided by DNSSEC is predicated on the ability to trace a secure delegation. The general theory of operation is that you'd preconfigure your resolver with cryptographic hashes of the root's public DNSKEY records. Then every time you wanted to do a secure lookup, you'd begin at the root, first asking for its DNSKEYs (assuming you didn't have them cached) and then verifying those using your preconfigured hashes. It would then give you the records you asked for, likely the nameservers and DS records for the next level of the hierarchy. That zone's nameservers would then give you their DNSKEYs, which you could verify with the DS records from the root, and you continue the process of DS + NS followed by DNSKEY verification until you're in the zone you're looking for.

Until the root is signed and until we have resolvers that both support DNSSEC and have been pre-configured with those key hashes, DNSSEC doesn't do us much good. Various research projects have been formed around the notion that the root will never be signed but that it should still be possible to configure a secure system. One of the most promising is a perspectives-based approach, the theory being that a worldwide monitoring system would be harder to spoof, so use this information as a sort of key repository for the apexes of the islands of security. You can trace a secure delegation from any of these zones down to a sub zone, but the weak point of your system is still the fact that you have to trust someone somewhere, and the only real trustworthy place is the root itself. It's something of a hack on top of an academic system that has limited utility in practical applications.

Re:I've heard of this new technology...

[Varun+Soundararajan]

If you implement this, the whole world will be slashdotted soon.. You know what I mean ;)

Simple recipe

[canuck57]

If you have lost DNS, game is over, you lose. A recipe if your system hits a compromised root server.

• You open up email to read todays email. You PC looks up pop3.yourisp.com.
• DNS returns the IP of evil PC to your PC which will connect to it.
• Next, evil PC will emulate your login, IP address and record the password. Could even be a /. password.
• Evil pc now has the info needed to read/retrieve your email.

Better yet, people often use similar IDs and passwords into other systems. Evil hackers can often use the email to figure out which banks, credit, stock brokers and on line e-tailers you use. Maybe change the home address of your Amazon account and order stuff, if the e-tailor isn't right on top of it.

Root servers need to be secure, end of story.

I should note the above method would also work with SSL, be creative, it only has to be a legitimate cert with a root chain.

Re:Simple recipe

[Joe+The+Dragon]

ISP can make so that pop3 only works from inside of there own network and force you to have a differnt web mail password not use the same login in system for web mail and pop3 mail.

Re:Simple recipe

[imipak]

Oh good god, that's just the tip of the iceberg. More likely would be to MitM some large corps' Outlook Web Access or other places where domain credentials are exposed (VPNs and the like.) Wait until you've got a domain admin's password. You now own that entire corp. Now rinse and repeat for government bodies. How hard do you think it would be for the proverbial well-motivated and resourced attacker to trigger off a war in such circumstances?

Think about it.

Re:Simple recipe

I should note the above method would also work with SSL, be creative, it only has to be a legitimate cert with a root chain.

Absolutely not. Do you know anything about SSL?

The certificate has to be signed by a legitimate Certificate Authority, and be in the name of pop3.yourisp.com. Otherwise your email program says "Hey! I was expecting a certificate for pop3.yourisp.com, when I got a certificate for pop3.evilisp.com!".

Well, most email programs will. Even Outlook will do that.

You can mess up a lot with DNS. But it doesn't break SSL in the slightest.

Re:Simple recipe

[bconway]

ISP access restrictions on their servers won't do anything for a client unknowingly connecting to a 3rd party via DNS hijacking/poisoning.

Re:Simple recipe

[Consul]

For a second there, I thought you had just introduced me to a new technical term I had never heard before. :-) We now must find a networking meaning for "chanted" and start using it.

Re:Simple recipe

[Vellmont]

If you have lost DNS, game is over, you lose. A recipe if your system hits a compromised root server.

Unless you happen to have SSL enabled pop or imap.

A (revised) recipe for an SSL enabled mail host:
        * You open up email to read todays email. You PC looks up pop3.yourisp.com.
        * DNS returns the IP of evil PC to your PC which will connect to it.
        * Evil PC returns a forged SSL certfificate claiming to be pop3.yourisp.com
        * Your email client brings up an error message saying there's something wrong with this certificate (self signed, etc)
        * You hopefully get suspicious, (this never having happened before), and don't click through.
        * Attack fails.

If you don't get suspicious, and just click OK, you're right. But the situation isn't quite as dire as you make it out to be. I'd never connect to a non-secure host for something like email.

Re:Simple recipe

[fishbowl]

>If you have lost DNS, game is over, you lose.

I play the TLS trump card.

Re:Simple recipe

[MushMouth]

Amazon makes you re-enter the complete credit card number if you ship to a new address.

Re:Simple recipe

[kvezach]

All the more reason for protocols to start using real security. Imagine the attack with password authenticated key exchange:

• You open up to read email. Your PC looks up mail.yourhost.com
• DNS returns the IP of the Evil Impersonator.
• You connect to the Evil Impersonator and start the protocol.
• Evil Impersonator runs PAKE protocol in question, impersonating mail.yourhost.com, based on a guess of your password.
• Your client says "incorrect password". You try a few more times and get really suspicious.
• Because the PAKE protocol is a key exchange, the evil impersonator learns nothing unless he guessed the right password. Because it uses a preshared secret (the password itself), he can't MITM unless he guessed the right password, either.
• Attack fails.

At this point, old inertia hits me on the head (can't change the protocols because everyone's using the old ones), but the point is that online password authentication is essentially solved. The rest is an engineering problem :)

Re:Simple recipe

[Niten]

I respond with the "your web browser honors 50 billion different CAs by default, and getting an illicit certificate signed by a single one of them won't be difficult" card.

Re:Simple recipe

[jeiler]

Instead of a MitM attack, would it be possible to do a "proxy-in-the-middle" attack?

* User opens up to read email/connect to their bank account/something secure.
* DNS returns IP of evil impersonator (EI) instead of Real Computer (RC).
* User requests connection from EI. EI transparently proxies that connection to RC, while listening for the password that authenticates the key exchange.
* Profit! Or would it be?

I can't imagine this kind of hole not already being covered, but it seems like it would be feasible without some form of encryption on the initial password itself.

Re:Simple recipe

[jonaskoelker]

The rest is an engineering problem :) I thought engineering was restricted to levels 1 through 7 ;)

Re:Simple recipe

[kvezach]

No, because without a password, most password authenticated key exchange algorithm have the same security properties as Diffie-Hellman. In other words, even if you knew the password, you couldn't snoop the connection passively. The only way to thwart it is by an active attack, but for that you need the password, otherwise the two parties' keys won't match.

See SPEKE, for instance, which is pretty much a Diffie-Hellman key exchange with the (fixed) generator constant replaced by a hash of the password. Snooping SPEKE only gives the adversary g^a mod p and g^b mod p (as well as the combinations as in ordinary DH), where a and b are secret and p is known. That does no good in finding g (the hash of the password) unless the adversary can break the discrete logarithm problem, in which case you've got bigger problems on your hands.

Re:Simple recipe

[maxume]

Chanting is clearly the network noise that p2p peers make simply letting other nodes know that they are alive and well (rather than traffic from transferring data or handling real business).

Re:Simple recipe

[klapaucjusz]

Your email client brings up an error message saying there's something wrong with this certificate (self signed, etc)

Which email client brigns up an error message for a self-signed POP3 server certificate?

(Try it, you'll be surprised how many don't.)

Re:Simple recipe

[Kalriath]

Indeed, but then Social Engineering comes into play - like that time someone managed to convince Verisign to reissue them one of Microsoft's Software Publishing Certificates, allowing them to sign programs as if they were Microsoft.

Re:Simple recipe

[canuck57]

ISP can make so that pop3 only works from inside of there own network and force you to have a differnt web mail password not use the same login in system for web mail and pop3 mail.

While I can't per say get to pop3 proper from work, I can get tot he web mail server. Huge hacker advantage about web mail. It doesn't move the message so the real user will not notice missing mail. A little perl script, harvest in bulk.

No, I gave a high level view. I will not post the code to do it and spell it out for na-sayers. It can be done. Wireless to is a nice entry point. Send a proxy redirect... fun and games.

Re:Simple recipe

[canuck57]

Oh good god, that's just the tip of the iceberg. More likely would be to MitM some large corps' Outlook Web Access or other places where domain credentials are exposed (VPNs and the like.) Wait until you've got a domain admin's password. You now own that entire corp. Now rinse and repeat for government bodies. How hard do you think it would be for the proverbial well-motivated and resourced attacker to trigger off a war in such circumstances?

Think about it.

Yep, you got the idea. Yes, it works similarily for other ports/protocols as well as network routing devices too. Think, you could even proxy back the traffic to the intended site login transactions as they occur. This way the session even behave properly, abet perhaps a little slower for the hops the traffic makes.

Yes, I think about it, yes, if a sophisticated hacking group decided to go for a target, most are not remotely prepared for what will happen.

Re:Simple recipe

[grcumb]

Which email client brigns up an error message for a self-signed POP3 server certificate?

Mail.app and Thunderbird, for two.

Mail's error message actually characterises a self-signed cert with language to the effect of, "Couldn't connect to the server because of an untrustworthy certificate." When this was reported to me by a non-technical user, they repeated only the first two words: Couldn't connect.

That's how things should be.

I'm hoping that Firefox's improved handling of self-signed certificates gets copied over into Thunderbird's UI as well.

Re:Simple recipe

[canuck57]

Amazon makes you re-enter the complete credit card number if you ship to a new address.

Good to know. And what if the user emailed it? Mind you, most will not. But point taken. Amazon then is ahead of the curve.

Re:Simple recipe

[Consul]

If you had told me that before, I probably would have bought it. Works for me! :-)

Re:Simple recipe

[canuck57]

Don't put too much faith in SSL. Read Bluecoat SSL visibility. It works and decodes the SSL in the middle to inspect traffic. This is the good use of the technique. It is however more sophisticated than plain text protocols to pull off.

Re:Simple recipe

[jeiler]

Thanks. I know that question fell into the "stupid newbie" category, but I've never taken a look at the process of authentication.

Re:Simple recipe

[toddestan]

In this case, it will still prevent them from reading your email by downloading it from your ISP's server (assuming they don't have a computer on your ISP's network). Of course, they do still have your username and password.

Re:Simple recipe

[the_olo]

I should note the above method would also work with SSL, be creative, it only has to be a legitimate cert with a root chain.

Well, the CN field on the legitimate cert would have to match the DNS FQDN name that the client looked up the server address with. Unless your POP3 client doesn't verify that x.509 CN matches the DNS FQDN, which would make its SSL support pointless. Even MS Outlook does that properly.

Re:Simple recipe

Which email client brigns up an error message for a self-signed POP3 server certificate?

(Try it, you'll be surprised how many don't.)

Dude, even Outlook 97 does that.

If your email software is less secure than MS Outlook, that's pretty pathetic programming.

Re:Simple recipe

[cjb658]

Amazon makes you re-enter the complete credit card number if you ship to a new address. What a horrible inconvenience! You should be able to buy it with one click!

Re:Simple recipe

[darthflo]

I can confirm Outlook 2003, 2007 and any remotely recent version of The Bat!

Re:Simple recipe

[Jouster]

Er... no. SSL is endpoint-to-endpoint secure, no matter who's upstream of you. How in the world would you think that this could work without the client's knowledge?

Re:Simple recipe

[ShakaUVM]

I've had SSL certificates change or be self-signed on my mail server at UCSD. At that point, I can decide either to click ok, or not check my email. Guess what I, and every single one of the other people in the computer science did? Clicked ok.

I was suspicious enough to delay clicking okay until I called the helpdesk, but it turns out, yes, they did mess with their cert, and it was legit.

Sad but true: People need their email more than they need security.

Re:Simple recipe

"If you have lost DNS, game is over, you lose." - by canuck57 (662392) on Sunday June 01, @01:22PM (#23618381) Not QUITE true... & especially IF you use a custom HOSTS file (not for adbanner or malware/trojans/spyware/virus/bad javascript/bad iframes/bad banners etc. sites)... instead, using them for SPEEDING UP access to your fav. sites @ least!

I.E.-> IF you hardcode in your fav. IP URL equations for your fav sites you go to into them? You'll get there, regardless of the DNS' being 'downed'... with possibly having to change the resolution order in the OS via some registry hacks in windows @ least, that is (usually I have found this is unneeded, but, to be safe? I do it anyhow -> Local DNS cache first, HOSTS next, ISP/BSP (or other) next, & WINS/NetBT stuff, last).

You'll get to them, even IF your DNS servers from your ISP/BSP are down... that, or using alternates like OpenDNS or ScrubIT DNS servers (faster & more secure generally I have found) will do as well!

APK

P.S.=> "Up here in space, I'm looking down on you! My lasers trace, everything YOU DO... YOU THINK YOU'VE PRIVATE LIVES? THINK NOTHING OF THE KIND - There is NO TRUE ESCAPE, I'm watching ALL THE TIME! I'm MADE OF METAL!!! My circuits gleam (I am perpetual, I keep the country clean). I'm elected - 'ELECTRIC SPY' (I'm protected, Electric Eye)... Always in focus: Can't kill my stare... I zoom into you, but you don't know I'm there... I take a pride in probing ALL your secret moves! My tearless retina takes pictures that can prove!!! I'm made of metal, my circuits gleam, I am perpetual I keep the country clean..." Judas Priest, Electric Eye... apk

break everything

[imipak]

Then sit back cackling with glee whilst civilisation falls apart?

Seriously, in the last decade the premise that the Net is always there has become a silent assumption underlying a lot of critical systems. No I'm not talking about nuclear power stations being online, I'm talking about basic logistics chain outages that mean there's no-one there to run the power station, because they've no fuel for their car, because the petrol tanker driver is off scavaging food for his kids. There are a number of scenarios that could knock out the net (or at least cause widespread depeering, so you'd be stuck on your provider's network and unable to get traffic to/from anywhere else); it would be... well, a bit too interesting for my liking to see how things would go with, say, a seven day outage. Actually a 7 day outage might be just enough to wake people up to the importance of patching your infrastructure, having a heterogenous mix of code for all critical functions, oh and and enforcing BGP security.

Re:break everything

[cp.tar]

Maybe the geeks should go on strike.

No patches; no tech support; no maintenance -- until things are organized properly.

Re:break everything

geeks should go on strike. First of all, that would never happen. Geeks are geeks because their fascination with details clouds their view of the big picture. Secondly, what do you mean, "organized properly"? The internet was built by geeks. You could say that the foundations which are crumbling now are exactly how geeks envisioned a "proper" network.

Re:break everything

[Joebert]

How the hell is that supposed to happen without any geeks ?

Re:break everything

[milsoRgen]

Actually a 7 day outage might be just enough to wake people up to the importance of patching your infrastructure That and I'm afraid it would awaken certain governments with the sudden realization now is the chance to install a large scale surveillance infrastructure (or something just as evil) all in the name of fighting the terrorists that caused the disturbance. Oh and I'm sure there would be provisions added to enforce copyright while they're at it.

Re:break everything

[ijakings]

THis post raises an interesting point. For the most part what Ive seen is that the IT or general tech industry has no large union. At least it doesnt in the UK.

THink about it, If they did they could bring a country to its knees with say a 7 day strike. People have become so dependent on things just working, and when they dont they call in the tech guy that they would be going crazy after 7 days.

Sure youve got that one guy in every department who is or thinks he is really good at computers, but how long until this guy runs into somehting he needs a higher access for, but cant get.

Whats that RIAA, your doing your old tricks again. Whoops the tech industy has a strike. (Obviously I know it doesnt work anything like this but its an interesting scenario)

Re:break everything

[ColdWetDog]

That and I'm afraid it would awaken certain governments with the sudden realization now is the chance to install a large scale surveillance infrastructure (or something just as evil) all in the name of fighting the terrorists that caused the disturbance. Oh and I'm sure there would be provisions added to enforce copyright while they're at it.

Exactly. If you think the problem is bad now, wait until we've fixed it. (Arthur Kasspe). This should be the motto engraved on every Government departmental seal.

Re:break everything

Better, we can go on a strike and then shut down the Internet. Then, when governments of the world come to us asking for us to repair whatever happened, we say: "ok, we can do that, but before we do we need, 10 million dollars, 3 bikini supermodels and a fast sport car of our choice, for each one of us.
That would be sweet...
*GO BACK TO THE BASEMENT, JOHNNY*
*OK MOM! - Oh God, can't even dream in peace anymore...*

Re:break everything

Better, we can go on a strike and then shut down the Internet. Then, when governments of the world come to us asking for us to repair whatever happened, we say: "ok, we can do that, but before we do we need, 10 million dollars, 3 bikini supermodels and a fast sport car of our choice, for each one of us. That would be sweet... *GO BACK TO THE BASEMENT, JOHNNY* *OK MOM! - Oh God, can't even dream in peace anymore...* Sir you just made me feel like 15 years younger :) Thank you!

Re:break everything

Maybe the geeks should go on strike.

No patches; no tech support; no maintenance -- until things are organized properly.

"But what can any of us do about it? Who is Linus Torvalds?"
- Stallman Shrugged.

Re:break everything

[mdm42]

of course we'd first have to agree on how to define "properly"...

Re:break everything

Had I mod points, I would totally mod you up.

Re:break everything

[maxume]

Yeah, but who wants to be in a union with people who want to be in a union?

(Unions certainly did a great deal of good for workers rights in the United States, but many of the important gains they made became laws and many of them now serve to make it very difficult to get rid of dead weight, to the detriment of everybody, including other union members)

Re:break everything

[cp.tar]

And we can argue until the civilization collapses.

Lazy and malevolent, that's the ticket. ;)

Re:break everything

[cjb658]

Yes, let's make those jocks sleep in the gym!

Re:break everything

Unions everywhere else are not like unions in the US.

Re:break everything

[asc99c]

I'm not sure a union is really what tech workers need or even want. There's too much variety in the jobs people do and how competent they are at them, even with the same job title. Teaching is a similar situation where the typical behaviour of unions seems like a bad idea, and that view seems to be borne out in practice.

It would be more a professional body similar to those that govern the medical and law professions. They might have the resources to organise a strike but I think would pretty much always decide it wasn't a good idea.

flat files

[Gothmolly]

The solution is to maintain a series of flat-file or relational DBs locally for every host on the Internet. Periodically, you should be able to do an FTP or similar of the latest master file, and place it on your local nameservers or hosts. Its the only way to be sure.

Re:flat files

[imipak]

That's how it was back in the day before DNS, grasshopper:

http://www.livinginternet.com/i/iw_dns_history.htm

Re:flat files

[darkpixel2k]

That's how it was back in the day before DNS, grasshopper:

That's what he was referring to. It's called a joke, grasshopper.

they tried that

[RWerp]

It just doesn't scale. But you know that, don't you?

Re:they tried that

[jonaskoelker]

Ooh, I have an idea. We could request only the parts of the file we actually need. Then we could probably do it in real time; the load on the master server will possible get too heavy, though. I know, our ISPs could cache local copies, and we could split the file into hierarchical chunks.

Hey, I oughta' write up an RFC on this ;)

Wrote about this in Feb 2006

[karl.auerbach]

Back in Febrary 2006 I wrote a note "What Could You Do With Your Own Root Server" at
http://www.cavebear.com/cbblog-archives/000232.html

My conclusions were that one could make money and cause trouble.

One of the more interesting aspects was (and still is) that one could operate root servers and, using the Google model, pay ISPs and users to send their queries to your roots so that you could generate data mining revenues.

That quality of data that is minded form root traffic would not be as good as that as from a top level domain server - and who has some large top level domains and also has root servers? Verisign.

And ICANN's contract with Verisign explicitly permits data mining of query traffic.

DNSSEC

[Watson+Ladd]

It's sad that DNSSEC hasn't gotten wider adoption given that the problem of spoofing is getting bigger.

The heck with DNS

[iminplaya]

Time for you mental midgets to start remembering IP addresses. Do your own damn cacheing.

It's a JOKE! Alright?

Re:The heck with DNS

[eneville]

Time for you mental midgets to start remembering IP addresses. Do your own damn cacheing. It's a JOKE! Alright? Well, it's not such a silly idea. When I look at my firefox 3 smart book marks, there are maybe 5 pages that I go to regularly. Anything else I can see using google page cache. So what's the big deal, having those few sites in a local hosts file isn't so much of a task.

Re:The heck with DNS

[klapaucjusz]

Time for you mental midgets to start remembering IP addresses.

Only after we switch to IPv6.

Re:The heck with DNS

[mini+me]

It's good enough for the telephone system, so I don't see why not.

Re:The heck with DNS

You might get into trouble, as more and more sites are relying on DNS load balancing between several (possibly thousands) different addresses.

It might still work, but for large sites you might need regular changes of your hosts file ...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Target evil sites

[Ang31us]

Anything associated with the Bush Adminsitration and fundraising for Senator McCain would definitely be sent to some educational sites of my choosing. Government propaganda sites in China would also be re-directed to more educational sites. Sites for military contractors like Halliburton, Blackwater, Lockheed Martin, McDonland Douglass, and Northorp Gruman would be re-directed to sites that show war profiteering information and US General Sevices Administration no-bid or non-competitive contract abuses.

The world would be a much better place if I controlled its DNS servers. Now, when do I get prvileges on those root DNS servers?

Re:Target evil sites

[hyades1]

Look up an anarchist/comedy/anti-establishment group called "The Yes Men". They pulled a magnificent prank on the World Trade Organization by putting up a web site that people who didn't read carefully would assume was theirs.

The slagging they gave the WTO was presented in such a fashion that those would would seek such a site out would be well into it before they realized they were being had.

Being able to redirect by controlling DNS servers could raise the bar quite a bit, and you can bet that the organizations any self-respecting prankster would most like to hit are precisely the ones who would be least likely to catch on quickly.

Re:Target evil sites

[darkpixel2k]

Anything associated with the Bush Adminsitration and fundraising for Senator McCain would definitely be sent to some educational sites of my choosing. Government propaganda sites in China would also be re-directed to more educational sites. Sites for military contractors like Halliburton, Blackwater, Lockheed Martin, McDonland Douglass, and Northorp Gruman would be re-directed to sites that show war profiteering information and US General Sevices Administration no-bid or non-competitive contract abuses.

But thank God for the Constitution--it's job is to protect popular speech as well as UNPOPULAR speech.
Because you might not like it if I redirected searches for Global Warming to youareafuckingidiot.com, and Senator Kennedy to heisadrunkard.com, and maybe for good measure, redirect Bill Clinton to heneedstobehangeduntildeadforperjury.com

It doesn't matter if you or I agree/disagree on the subjects above--we are free to speak our opinions.

hosts file

[eneville]

216.34.181.48 www.slashdot.org
208.65.153.253 www.youtube.com
208.65.153.238 www.youtube.com
208.65.153.251 www.youtube.com
69.63.184.15 www.facebook.com
81.110.242.129 www.s5h.net
66.102.9.99 www.google.com
66.102.9.104 www.google.com
66.102.9.147 www.google.com
Use google page cache for anything else

Re:hosts file

[Rob+Simpson]

Is there any software for Linux that can generate hosts file entries from bookmarks (and scan for changes) like Fastnet99 for Windows?

Re:hosts file

[eneville]

We don't need anything special for that. We have perl. Reply here if you want me to write it for you. But it doesn't take a huge amount of effort, just read the stdin for hrefs and do a lookup, then write the output to stdout.

#!/usr/bin/perl

use strict;
use warnings;
use Net::DNS;

my %hosts;

sub lookup {
my $res = Net::DNS::Resolver->new;
my $query = $res->search( shift );

if ($query) {
foreach my $rr ($query->answer) {
next unless( $rr->type eq "A" );
return( $rr->address );
}
}
else {
warn "query failed: ", $res->errorstring, "\n";
}
}

while( my $l = ) {
if( $l =~ m!(http://.+?)\s! ) {
print( "$1\n" );
if( $1 =~ m!http://(.*?)/! ) {
my $ip = lookup( $1 );
$hosts{$1} = $ip;
}
}
}

foreach my $host ( sort keys( %hosts ) ) {
print( $host, "\t", $hosts{$host}, "\n" );
}

Re:hosts file

[gnuman99]

Sir, what are you doing?!? Perl is NOT meant to be readable. It the code MUST be all on one line!

use strict; use warnings; use Net::DNS; my %hosts; sub lookup { my $res = Net::DNS::Resolver->new;my $query = $res->search( shift );if ($query) {foreach my $rr ($query->answer) {next unless( $rr->type eq "A" );return( $rr->address );}}else {warn "query failed: ", $res->errorstring, "\n";}}while( my $l = ) {if( $l =~ m!(http://.+?)\s! ) {print( "$1\n" );if( $1 =~ m!http://(.*?)/! ) {my $ip = lookup( $1 );$hosts{$1} = $ip;}}}foreach $host ( sort keys( %hosts ) ) {print( $host, "\t", $hosts{$host}, "\n" );}

There, fixed it for ya!

Profit!

1. Invest in sawdust futures. 2. Redirect everything to goatse.cx

That's easy

[bconway]

World-wide Rickroll?

I once interviewed at a job

That had its domain name stolen while I was in the interview, and the DNS from their office still seemed to function... so from their office they still got their site when they went to xxx.com, but from anywhere else it went to yyy.com

Re:I once interviewed at a job

That had its domain name stolen while I was in the interview, and the DNS from their office still seemed to function... so from their office they still got their site when they went to xxx.com, but from anywhere else it went to yyy.com

That is because DNS replies are typically cached for a period of time, often several days.

If you don't have it in cache, you go to the source and get the current value.

Re:I once interviewed at a job

[R_Dorothy]

If they ran an internal DNS for their network and it was for the same domain as the external record then it would have over-ridden the stolen DNS records. This is a very common practice for dealing with inside-out NAT resolution of public facing servers that also need to be accessible from inside the firewall under the same name.

So if the web server was an internal server:
www.example.com -> 192.168.1.123 (returned by internal DNS server)
www.example.com -> 123.87.32.245 (returned by external public DNS server)

Even if www.example.com wasn't an internal address server, the example.com domain may be handled by the internal server.

So if www.example.com was an external server:
www.example.com -> 123.87.32.245 (returned by uncompromised internal DNS server)
www.example.com -> 245.76.237.25 (returned by compromised external DNS server)
dc1.example.com -> 192.168.0.100 (internal host on example.com domain - no public DNS record)

Take it...

[Timosch]

...and sell it to the Chinese government. The answer to all their desires... No, just kidding.

Can you hum a few bars?

[Coyote65]

Sung to the tune of 'What'll we do with a drunken sailor'?

Obvious first move

[PPH]

Goatse.cx lives!

Re:Obvious first move

[Geak]

It still does:

http://web.archive.org/web/19991012153204/http://goatse.cx/

Make some fast cash.

[nurb432]

Long gone are the days of digital 'graffiti', its all about hard cash now.

i'm sure that would be worth something to someone.. Perhaps even enough to afford that shiny new powerbook pro :)

Gee... this happens at my company

It's kind of funny that this actually happens at my company and it's called "security". For the most part, my company's DNS server returns the correct IP addresses. One day, though, after repeated problems with our instant messenger clients losing messages between us, we did some investigating and found that the DNS names for major IM providers like AOL and Yahoo were being rerouted to internal IP addresses. Sure, they had warned us that activities on the corporate network could be monitored, but this was extremely dubious in my opinion. And the only way we found out was because their proxy server couldn't handle all the traffic.

Re:Gee... this happens at my company

[Renraku]

Its safe to assume that all communications across a corporate network is monitored. So before you go asking that new secretary what kind of panties she has on, and if she can prove it, you might want to switch to a more secure method..AKA SMS or sneakernet.

I wouldn't say anything on corporate IM that I had a problem with my boss reading. I know most IT people don't sit around reading people's IMs for the hell of it, but if you assume they do, you just might stay out of trouble.

Media Defender

[Gruturo]

I'd find a way to trick MediaDefender into DoS'ing some sensitive and well monitored .gov or .mil facility, then watch them disappear from the planet, hopefully with serious and non-temporary consequences for the MAFIAA bastards behind them, too, maybe earning all of us some decent civil liberty guarantees in the process.

Failing that, I'd be content with seeing them DoS themselves or any of their parent companies every time they try to spray their shit on any other address.

Re:Media Defender

[Ant+P.]

You've got it the wrong way around.

Point every single domain name on the planet to mediadefender's servers. Not only would it make every router within 8 hops burst into flames, the banks would be out for their blood too.

Would a 42U loaded rack even fit in a longboat?

[puddnhead7]

"What Could You Do With a Bogus Root Name Server?" Easy, slap it around and call it Suzy. Or possibly, put it in a sack and beat it senseless.

Solution?

I can envision a public service campaign to alert people to the fragile state of our infrastructure. The best part: yeah, it features Cinderella. "You don't know what you got til it's gone."

Corporate Espionage via Man in the Middle

[Ungrounded+Lightning]

If we change "what would YOU do" to "what to you think might be done":

A bogus root server could be coded to pay attention to the source of the query and only create illusions for targeted victims - serving normal information to everyone else.

With that capability you can perform man-in-the-middle attacks on the victim - directing his connection to your own forwarding-and-tapping-and/or-modifying servers whenever the victim is attempting to connect to an external domain and his own nameserver got the domain record from you. (And with that domain record in his nameserver cache you'll get ALL the connections he makes until he stops opening new ones long enough for the cache entry to time out. For his business partners this might be never.)

(As has been pointed out already: If you luck out and the victim comes to you for an update of the root server addresses, you've got him until there's manual intervention.)

Man in the middle beats the pants off spear phishing for corporate (or government/military) espionage. You get to inject yourself into the key exchanges of certain otherwise-secure protocols (and the conversations thereafter), getting hold of the cleartext in situations were cracking the key to read eavesdropped traffic would be impractical. You also get to modify the content on-the-fly.

The amount of mischief this enables is mind-boggling. (For starters: Stealing or reconstructing customer lists. Identifying competitors' bids in order to slightly underbid them. Obtaining other corporate secrets - with the partner with whom they're communicating taking the blame.)

I'd Do the Lord's Work

[TechnoJoe]

I'd redirect all the adult domain names to websites about Jesus.

Comon! Humor!

[killmofasta]

All your rootservers all belong to us!

Seriously. whitehouse.com from Microsoft.com
*.ru from *.gov
mail.*.kr frommail.*.com

p0ned!

Oh last one...

unopedia.org from Wikipedia.org!!!

C ja l8r!

Been there, done that...

Any ISP sysadm that I know (and I know at least one hundred of them) already played $DEITY with DNS answers via local DNS servers or even via transparent DNS caching. When you have 500k unsuspected citizens at your fingertips, its hard to resist the temptation.

You can:

1. Phish every amazon.com, yourbank.com, etc CC numbers;
2. Eavesdrop even SSL/TLS secured e-mails, bonus points looking for keyphrases like "is a god in the sack", "(my husband|my wife|\w+) can.{0,2}not (know|discover) about" and similars;
3. ???
4. profit!!

Type A+B+C (redundancy)

What about if each DNS-request had to pass a 2/3 to give a reply (possibly with a warning if you get a fail), this would triple the amount of DNS requests obviously, but if every major ISP etc had three groups of DNS (marked as A, B and C type), you could have one A-type from ISP1, one B-type from ISP2 and one C-type from ISP3.

Better yet, if they use different hardware/firmware on the different types, a zero-day exploit might not be able to take enough rootservers to fool the 2/3.

Obviously, with fast enough access, and as long as you can trust your closest nodes you could expand this from 2/3 to x/y returns.

But then agsin, I know nothing about routing :-)

duh

I'd hack comcast.net

DNSSEC computation load's minimal

[billstewart]

Remember, you don't have to sign every DNS record every time anybody requests it from you - you just have to sign it once when you put it into your database, plus (depending on whether the version of DNSSEC you're using indicates negative responses) update a couple of signatures indicating absence of other names. Any time somebody does a query for a given name, you hand them the records they've asked for and the signature records. If they want to verify the signatures, that's their computational load, not yours; your real load increase is just the added data in your response. (That'd be shorter if they're using elliptical curve crypto these days; I haven't kept track.)

So if you own .com, and somebody registers the name example1.com, you sign a record indicating that example1.com's public key is [foo] and nameservers are 0.1.2.3 and 0.4.5.6 etc., delete the record that says "there aren't any names between "example0.com and example5.com" replacing it with records saying "there aren't any names between example0.com and example1.com" and "there aren't any names between example1.com and example5.com". (There reason for the negative records was so that you didn't have to go signing every response for "No such domain: Example12345.com" "No such domain: Example12346.com" etc.)