What Could You Do With a Bogus Root Name Server?

← Back to Stories (view on slashdot.org)

What Could You Do With a Bogus Root Name Server?

Posted by Soulskill on Sunday June 1, 2008 @05:11AM from the root-root-root-for-the-home-team dept.

Barlaam notes a post from the Renesys Blog which follows up on news they discussed a couple weeks ago about the 'identity theft' of a root name server. To emphasize the issue of safeguarding such a system, they've now posted an explanation of exactly how the situation could be exploited. "It shouldn't be too hard to see that you could end up answering every DNS query from an organization that came to you for an updated list of root name servers. Every one. And you might end up doing this for a very long time, especially if your answers were largely correct. An attack like this would have no resemblance to the YouTube hijack, where the entire planet gets a blank page and it's immediately apparent that something isn't right. Obvious events like this will continue to occur, and we'll continue to resolve them relatively quickly. But as this incident demonstrates, DNS hijacks are far less obvious and potentially far more harmful."

15 of 120 comments (clear)

Min score:

Reason:

Sort:

Its simple... by Indes · 2008-06-01 05:14 · Score: 5, Funny

.. do what we do every night.. try to take over the world!!

(Seriously, Imagine borrowing every bank's front page in North America .... You could be cashing in big time..... )
1. Re:Its simple... by Anonymous Coward · 2008-06-01 09:51 · Score: 5, Funny
  
  I would reroute all of 4chan's traffic to fbi.gov
2. Re:Its simple... by Anonymous Coward · 2008-06-01 22:59 · Score: 1, Funny
  
  Reroute all of fbi.gov's traffic to 4chan
easy by circletimessquare · 2008-06-01 05:16 · Score: 5, Funny

i would redirect http://slashdot.org/ to http:///..org

yeah how funny is it now that the joke is on the other foot biatches!

--
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
flat files by Gothmolly · 2008-06-01 05:26 · Score: 2, Funny

The solution is to maintain a series of flat-file or relational DBs locally for every host on the Internet. Periodically, you should be able to do an FTP or similar of the latest master file, and place it on your local nameservers or hosts. Its the only way to be sure.

--
I want to delete my account but Slashdot doesn't allow it.
they tried that by RWerp · 2008-06-01 05:33 · Score: 2, Funny

It just doesn't scale. But you know that, don't you?

--
"Long run is a misleading guide to current affairs. In the long run we are all dead." (John Maynard Keynes)
1. Re:they tried that by jonaskoelker · 2008-06-01 07:42 · Score: 5, Funny
  
  Ooh, I have an idea. We could request only the parts of the file we actually need. Then we could probably do it in real time; the load on the master server will possible get too heavy, though. I know, our ISPs could cache local copies, and we could split the file into hierarchical chunks.
  
  Hey, I oughta' write up an RFC on this ;)
The heck with DNS by iminplaya · 2008-06-01 05:40 · Score: 3, Funny

Time for you mental midgets to start remembering IP addresses. Do your own damn cacheing.

It's a JOKE! Alright?

--
What?
Re:Hmmm... by tomhudson · 2008-06-01 05:42 · Score: 5, Funny

You could send all Obama's web traffic to Clinton's web site ... oops, already been done!
Profit! by Anonymous Coward · 2008-06-01 05:51 · Score: 1, Funny

1. Invest in sawdust futures. 2. Redirect everything to goatse.cx
Obvious first move by PPH · 2008-06-01 05:55 · Score: 5, Funny

Goatse.cx lives!

--
Have gnu, will travel.
Re:break everything by Anonymous Coward · 2008-06-01 06:12 · Score: 2, Funny

Better, we can go on a strike and then shut down the Internet. Then, when governments of the world come to us asking for us to repair whatever happened, we say: "ok, we can do that, but before we do we need, 10 million dollars, 3 bikini supermodels and a fast sport car of our choice, for each one of us.
That would be sweet...
*GO BACK TO THE BASEMENT, JOHNNY*
*OK MOM! - Oh God, can't even dream in peace anymore...*
Re:Simple recipe by maxume · 2008-06-01 08:03 · Score: 2, Funny

Chanting is clearly the network noise that p2p peers make simply letting other nodes know that they are alive and well (rather than traffic from transferring data or handling real business).

--
Nerd rage is the funniest rage.
Re:Simple recipe by cjb658 · 2008-06-01 16:27 · Score: 2, Funny

Amazon makes you re-enter the complete credit card number if you ship to a new address. What a horrible inconvenience! You should be able to buy it with one click!
Re:hosts file by gnuman99 · 2008-06-01 16:34 · Score: 2, Funny

Sir, what are you doing?!? Perl is NOT meant to be readable. It the code MUST be all on one line!

use strict; use warnings; use Net::DNS; my %hosts; sub lookup { my $res = Net::DNS::Resolver->new;my $query = $res->search( shift );if ($query) {foreach my $rr ($query->answer) {next unless( $rr->type eq "A" );return( $rr->address );}}else {warn "query failed: ", $res->errorstring, "\n";}}while( my $l = ) {if( $l =~ m!(http://.+?)\s! ) {print( "$1\n" );if( $1 =~ m!http://(.*?)/! ) {my $ip = lookup( $1 );$hosts{$1} = $ip;}}}foreach $host ( sort keys( %hosts ) ) {print( $host, "\t", $hosts{$host}, "\n" );}

There, fixed it for ya!