[dns-operations] Massive DNS poisoning attacks in Brazil

Douglas Otis dotis at mail-abuse.org
Mon Nov 7 23:27:44 UTC 2011

On 11/7/11 7:40 AM, Paul Wouters wrote:
> On Mon, 7 Nov 2011, Olaf Kolkman wrote:
>> Yes, and that sentence refers to CPE hacks. On the other hand the 
>> last sentence of the second paragraph mentions ISP recursive name 
>> servers.
>> All the same it occurs to me that DNSSEC validation at the host would 
>> have prevented this (if the authoritative zones in questions would 
>> have been signed).
> And if using a local validator with
> draft-wijngaards-dnsext-resolver-side-mitigation if might have even
> protected against unsigned ones too. But if it was really the CPE,
> it means that they would have only affected DHCP obtained DNS servers,
> so something like dnssec-trigger or just hardcoding to google/opendns
> type services would have fixed it (which is what the article implies to
> do by using google dns)
> in short, there is no new technology needed the twart this attack. The 
> OS vendors
> just need to catch up.
In the case where CPE equipment passwords are compromised, would this 
suggest OS vendors never trust ISP assigned recursive DNS?   Not depend 
on assigned recursive DNS?  Clearly, no strategy can determine forged 
answers in these cases.


More information about the dns-operations mailing list