[dns-operations] Massive DNS poisoning attacks in Brazil

[Vernon Schryver]

> From: Tony Finch <dot at dotat.at>
> To: Paul Vixie <paul at redbarn.org>

> Paul Vixie <paul at redbarn.org> wrote:
> >
> > in <http://www.ietf.org/mail-archive/web/dnsext/current/msg11700.html> i
> > was thinking that we'd add "send chain" as an edns option, and then add

> I like this plan.

All of those DNS tunneling, triggering, alternate port, and other
varient protocol schemes for dealing with hotels and public access
points attacks on DNS are either unnecessary in the long run or depend
on practically no one ever using them.  They are like the ad hoc schemes
subscribers to this mailing list use to tunnel other protocols home.

Any popular scheme that works around DNS, HTTP, ssh, etc.
man-in-the-middle attacks that become popular will be blocked,
proxied, or hijacked unless most users normally use tools that
detect and refuse to work with men in the middle.

If the browsers and stubb DNS servers of most users did DNSSEC, DANE,
and HSTS, then any men in the middle will be obvious and won't be
installed except for purposes that users tolerate including access
point login, employment behind corporate firewalls, and living under
authoritative regimes.  In addition, those tunneling schemes will not
unnecessary.

To put it another way, if HTTP replaced IP as the Internet protocol
without any real improvements in end to end security, then the
censors and hijackers would apply their tools to HTTP.


Vernon Schryver    vjs at rhyolite.com