[dns-operations] Massive DNS poisoning attacks in Brazil

Paul Vixie paul at redbarn.org
Tue Oct 2 20:34:36 UTC 2012

On 2012-10-02 8:24 PM, Stephane Bortzmeyer wrote:
> AFAIK, no, but it is very simple and build over the existing DNS: it
> is the same format as DNS-over-TCP, just over TLS+TCP. 

i don't think so. too many middleboxes unpack the tcp/443 stream using a
wildcard certificate, and they "know" the format of the underlying
stream. it has to look like HTTP. that means POST or GET. i prefer POST,
for the reasons previously stated

TLS-PSK looks too much like censorship avoidance, which this is not, but
it would suffer the same fate.

TLS where you negotiate one certificate but use another, likewise.


"It seems like the rules for automagic completion of incomplete names typed into browsers are going to start to look like those for the game of fizbin." --rick jones

More information about the dns-operations mailing list