[dns-operations] CERT VU#800113 Multiple DNS implementations vulnerable to cache poisoning
Sean Donelan
sean at donelan.com
Thu Jul 10 08:44:48 UTC 2008
On Thu, 10 Jul 2008, Randy Bush wrote:
> packet spoofing is pretty much a ddos vulnerability. dns poison is an
> end user dollar diverter. the latter is potentially much more subtle
> and damaging. and i gather that the current hole is pretty big.
>
> it's just that raising the source spoofing fud with this week's dns hole
> is a spoofing attack in itself, an amusing exercise in recursion, maybe. :)
Raising DNSSEC fud is much the same thing.
Heck most end-to-end application layer crypto checks, e.g. HTTPS, IPsec,
etc, will catch misdirected connections at the app layer with or without
DNSSEC (or routing security protocol hole of the week, etc). With the
exception of things which lookup crypto keys via DNS lookups.
If you are using end-to-end application layer security, then DNS poisoning
is just yet another type of DOS attack. If you don't care enough to use
end-to-end security, then the world is full of lots of dangerous things.
DNSSEC may give you the right IP address, but how do you know if the
routing table is going to the right place?
Of course, whether the user ignores or disables the warnings is another
matter.
More information about the dns-operations
mailing list