Slashdot Mirror

← Back to Stories (view on slashdot.org)

What Could You Do With a Bogus Root Name Server?

Posted by Soulskill on from the root-root-root-for-the-home-team dept.

Barlaam notes a post from the Renesys Blog which follows up on news they discussed a couple weeks ago about the 'identity theft' of a root name server. To emphasize the issue of safeguarding such a system, they've now posted an explanation of exactly how the situation could be exploited. "It shouldn't be too hard to see that you could end up answering every DNS query from an organization that came to you for an updated list of root name servers. Every one. And you might end up doing this for a very long time, especially if your answers were largely correct. An attack like this would have no resemblance to the YouTube hijack, where the entire planet gets a blank page and it's immediately apparent that something isn't right. Obvious events like this will continue to occur, and we'll continue to resolve them relatively quickly. But as this incident demonstrates, DNS hijacks are far less obvious and potentially far more harmful."

7 of 120 comments (clear)

  1. Wrote about this in Feb 2006 by karl.auerbach · · Score: 4, Informative

    Back in Febrary 2006 I wrote a note "What Could You Do With Your Own Root Server" at
    http://www.cavebear.com/cbblog-archives/000232.html

    My conclusions were that one could make money and cause trouble.

    One of the more interesting aspects was (and still is) that one could operate root servers and, using the Google model, pay ISPs and users to send their queries to your roots so that you could generate data mining revenues.

    That quality of data that is minded form root traffic would not be as good as that as from a top level domain server - and who has some large top level domains and also has root servers? Verisign.

    And ICANN's contract with Verisign explicitly permits data mining of query traffic.

  2. Re:I've heard of this new technology... by imipak · · Score: 4, Informative

    I think the OP's referring to TSIG and it's variants.

  3. hosts file by eneville · · Score: 3, Informative

    216.34.181.48 www.slashdot.org
    208.65.153.253 www.youtube.com
    208.65.153.238 www.youtube.com
    208.65.153.251 www.youtube.com
    69.63.184.15 www.facebook.com
    81.110.242.129 www.s5h.net
    66.102.9.99 www.google.com
    66.102.9.104 www.google.com
    66.102.9.147 www.google.com
    Use google page cache for anything else

    --
    Why UNIX?
  4. Re:I've heard of this new technology... by klapaucjusz · · Score: 4, Informative

    But they don't appear to be deploying it on their own servers.

    I've just checked -- and the ISC do sign their zone. Sorry for the mis-information.

  5. That's easy by bconway · · Score: 5, Informative

    World-wide Rickroll?

    --
    Interested in open source engine management for your Subaru?
  6. Re:Simple recipe by Vellmont · · Score: 4, Informative


    If you have lost DNS, game is over, you lose. A recipe if your system hits a compromised root server.

    Unless you happen to have SSL enabled pop or imap.

    A (revised) recipe for an SSL enabled mail host:
            * You open up email to read todays email. You PC looks up pop3.yourisp.com.
            * DNS returns the IP of evil PC to your PC which will connect to it.
            * Evil PC returns a forged SSL certfificate claiming to be pop3.yourisp.com
            * Your email client brings up an error message saying there's something wrong with this certificate (self signed, etc)
            * You hopefully get suspicious, (this never having happened before), and don't click through.
            * Attack fails.

    If you don't get suspicious, and just click OK, you're right. But the situation isn't quite as dire as you make it out to be. I'd never connect to a non-secure host for something like email.

    --
    AccountKiller
  7. Re:Simple recipe by MushMouth · · Score: 4, Informative

    Amazon makes you re-enter the complete credit card number if you ship to a new address.