[dns-operations] Massive DNS poisoning attacks in Brazil

Paul Wouters paul at xelerance.com
Mon Nov 7 15:40:16 UTC 2011

On Mon, 7 Nov 2011, Olaf Kolkman wrote:

> Yes, and that sentence refers to CPE hacks. On the other hand the last sentence of the second paragraph mentions ISP recursive name servers.
> All the same it occurs to me that DNSSEC validation at the host would have prevented this (if the authoritative zones in questions would have been signed).

And if using a local validator with
draft-wijngaards-dnsext-resolver-side-mitigation if might have even
protected against unsigned ones too. But if it was really the CPE,
it means that they would have only affected DHCP obtained DNS servers,
so something like dnssec-trigger or just hardcoding to google/opendns
type services would have fixed it (which is what the article implies to
do by using google dns)

in short, there is no new technology needed the twart this attack. The OS vendors
just need to catch up.


More information about the dns-operations mailing list