[dns-operations] Massive DNS poisoning attacks in Brazil
Douglas Otis
dotis at mail-abuse.org
Mon Nov 7 23:27:44 UTC 2011
On 11/7/11 7:40 AM, Paul Wouters wrote:
> On Mon, 7 Nov 2011, Olaf Kolkman wrote:
>
>> Yes, and that sentence refers to CPE hacks. On the other hand the
>> last sentence of the second paragraph mentions ISP recursive name
>> servers.
>>
>> All the same it occurs to me that DNSSEC validation at the host would
>> have prevented this (if the authoritative zones in questions would
>> have been signed).
>
> And if using a local validator with
> draft-wijngaards-dnsext-resolver-side-mitigation if might have even
> protected against unsigned ones too. But if it was really the CPE,
> it means that they would have only affected DHCP obtained DNS servers,
> so something like dnssec-trigger or just hardcoding to google/opendns
> type services would have fixed it (which is what the article implies to
> do by using google dns)
>
> in short, there is no new technology needed the twart this attack. The
> OS vendors
> just need to catch up.
In the case where CPE equipment passwords are compromised, would this
suggest OS vendors never trust ISP assigned recursive DNS? Not depend
on assigned recursive DNS? Clearly, no strategy can determine forged
answers in these cases.
-Doug
More information about the dns-operations
mailing list