DNSSEC Comes To .Net Zone Today
wiredmikey sends news that as of today VeriSign has enabled DNSSEC on the .net zone. This is one milestone in a years-long process of securing the DNS against cache poisoning and other attacks. Next step will be for VeriSign to sign the .com root early next year."Having DNSSEC enabled for .net domains... [is] important as it represents one of the most critical implementations of DNSSEC technology, since .net serves as the underpinning for many critical Internet functions. The largest zone to be DNSSEC enabled to date, .net currently has more than 13 million... domain name registrations worldwide."
It may be more secure for business, but it's less secure now for private individuals and the politically-active. Also, it's not more secure for websites not based in the United States, as those keys are already in government possession. This is just another way for the United States to exert control over an international resource for its own gain. And we're giving up that decentralized and free nature of the internet because of hackers/terrorists/boogiemen? Sad day.
#fuckbeta #iamslashdot #dicemustdie
"It may be more secure for business, but it's less secure now for private individuals and the politically-active." - by girlintraining (1395911) on Friday December 10, @09:48AM (#34513928)
Per my subject-line above: This is part of the "WHY" I do "hardcodes" of 250 of my fav. sites into my custom HOSTS file (912,000 unique entries, mostly for blocking out KNOWN sites/servers/domain-host names that are known to serve up exploits)
However, for the case of speeding yourself up - some of my custom HOSTS files entries are for avoiding DNS request logs, and to be able to reach said fav. sites of mine F A S T E R (by not doing the roundtrip resolution for IP Address - to - Host/Domain names, since HDD access alone (7-10ms access, vs. 30ms or more to DNS servers roundtrip) is faster!
Especially once my HOSTS is cached, it then even goes FASTER (after the 1st request to it gets cached into RAM via caches).
Plus, I get there, & even IF the DNS server is redirect-poisoned, or is down even!
Then, the custom HOSTS file is read F A S T (after changes to it in %WinDir%\system32\drivers\etc, it's marked/flagged as "dirty", & reloads)
Then, it's cached into RAM!
That's either by the DNS ClientCache service in Windows (junk, it's limited in size & uses a queue/structure - you must turn this off saving both RAM &/or CPU cycles used for its operation, with relatively "largish" HOSTS files) OR then, its cached via the local kernel mode diskcaching subsystem (works on HOSTS files of ANY SIZE), it's operating @ the SPEED OF RAM!)
APK
P.S.=> Don't get me wrong though: I do think that DNSSEC is overall, a GOOD thing... even if only for businesses &/or the gov't. as you feel "git"
As far as DNS servers though? I cannot put the "entire internet" into my HOSTS file w/ the IP Address - to - Domain/Hosts name equation in for "every site there is under the sun", so I use OpenDNS or ScrubIT DNS (there's also GOOGLE's DNS & even AMAZON DNS now as alternatives also) for that...
Why?
Well, when Mr. Dan Kaminsky found the "kaminsky flaw" in DNS servers for a form of redirect poisoning, OpenDNS was the FIRST TO PATCH no less!
(I.E.-> The "general mechanics" of which work like so - You "bum rush" a DNS server that someone you wish to attack & that you have "lured" to a certain site via a URL for example for them to click on? You, as the attacker, flood said DNS server with tons of false 50's series ports updates to it, & you have them)
The problem w/ unpatched DNS vs. this (especially if the DNS server's are in recursive mode)?
They take the FIRST REPLY THEY SEE & DON'T VERIFY IT! This makes redirection poisoning a second's notice (& Mr. Kaminsky demonstrated it, seconds of work only...)
Other forms of redirect exist also (std. DNS poisoning) or what the Chinese are doing with DNS too:
BIND vs. what the Chinese are doing to DNS lately? See here:
http://yro.slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders
or
SECUNIA HIT BY DNS REDIRECTION HACK THIS WEEK:
http://www.theregister.co.uk/2010/11/26/secunia_back_from_dns_hack/
(Yes, even "security pros" are helpless vs. DNS problems in code bugs OR redirect DNS poisoning issues, & they can only try to "set the DNS record straight" & then, they still have to wait for corrected DNS info. to propogate across all subordinate DNS servers too - lagtime in which folks DO get "abused" in mind you!)
When THAT occurred in the latter? I was going to the site ALL WEEK LONG even when the update propogations were lagging to subordinate DNS servers... & simply because of the hardcodes in my HOSTS file.
I stay safe(r) from it, & faster too... Especi