[dns-operations] Massive DNS poisoning attacks in Brazil

Paul Wouters paul at xelerance.com
Tue Nov 8 01:02:17 UTC 2011


On Mon, 7 Nov 2011, Douglas Otis wrote:

> In the case where CPE equipment passwords are compromised, would this suggest 
> OS vendors never trust ISP assigned recursive DNS?   Not depend on assigned 
> recursive DNS?  Clearly, no strategy can determine forged answers in these 
> cases.

do what dnssec-trigger does. Validate on the stub, check with a query for a root
nameserver if you can use the ISP forwarder, if not try recursion yourself. If
that fails, warn the user.

This is another good example of why dnssec validation has to happen on each
device itself. Local networks are not guaranteed compromise-free.

Paul



More information about the dns-operations mailing list