[dns-operations] Massive DNS poisoning attacks in Brazil

Paul Vixie paul at redbarn.org
Tue Oct 2 20:34:36 UTC 2012


On 2012-10-02 8:24 PM, Stephane Bortzmeyer wrote:
> AFAIK, no, but it is very simple and build over the existing DNS: it
> is the same format as DNS-over-TCP, just over TLS+TCP. 

i don't think so. too many middleboxes unpack the tcp/443 stream using a
wildcard certificate, and they "know" the format of the underlying
stream. it has to look like HTTP. that means POST or GET. i prefer POST,
for the reasons previously stated
(http://www.ietf.org/mail-archive/web/dnsext/current/msg11700.html).

TLS-PSK looks too much like censorship avoidance, which this is not, but
it would suffer the same fate.

TLS where you negotiate one certificate but use another, likewise.

paul

-- 
"It seems like the rules for automagic completion of incomplete names typed into browsers are going to start to look like those for the game of fizbin." --rick jones




More information about the dns-operations mailing list