[dns-operations] CERT VU#800113 Multiple DNS implementations vulnerable to cache poisoning

Sean Donelan sean at donelan.com
Thu Jul 10 08:44:48 UTC 2008


On Thu, 10 Jul 2008, Randy Bush wrote:
> packet spoofing is pretty much a ddos vulnerability.  dns poison is an
> end user dollar diverter.  the latter is potentially much more subtle
> and damaging.  and i gather that the current hole is pretty big.
>
> it's just that raising the source spoofing fud with this week's dns hole
> is a spoofing attack in itself, an amusing exercise in recursion, maybe. :)

Raising DNSSEC fud is much the same thing.

Heck most end-to-end application layer crypto checks, e.g. HTTPS, IPsec, 
etc, will catch misdirected connections at the app layer with or without 
DNSSEC (or routing security protocol hole of the week, etc).  With the 
exception of things which lookup crypto keys via DNS lookups.

If you are using end-to-end application layer security, then DNS poisoning 
is just yet another type of DOS attack.  If you don't care enough to use 
end-to-end security, then the world is full of lots of dangerous things.
DNSSEC may give you the right IP address, but how do you know if the
routing table is going to the right place?

Of course, whether the user ignores or disables the warnings is another 
matter.




More information about the dns-operations mailing list