[dns-operations] Massive DNS poisoning attacks in Brazil
paul.hoffman at vpnc.org
Wed Oct 3 14:29:00 UTC 2012
On Oct 3, 2012, at 6:38 AM, Vernon Schryver <vjs at rhyolite.com> wrote:
>> From: Tony Finch <dot at dotat.at>
>> To: Paul Vixie <paul at redbarn.org>
>> Paul Vixie <paul at redbarn.org> wrote:
>>> in <http://www.ietf.org/mail-archive/web/dnsext/current/msg11700.html> i
>>> was thinking that we'd add "send chain" as an edns option, and then add
>> I like this plan.
> All of those DNS tunneling, triggering, alternate port, and other
> varient protocol schemes for dealing with hotels and public access
> points attacks on DNS are either unnecessary in the long run or depend
> on practically no one ever using them. They are like the ad hoc schemes
> subscribers to this mailing list use to tunnel other protocols home.
> Any popular scheme that works around DNS, HTTP, ssh, etc.
> man-in-the-middle attacks that become popular will be blocked,
> proxied, or hijacked unless most users normally use tools that
> detect and refuse to work with men in the middle.
> If the browsers and stubb DNS servers of most users did DNSSEC, DANE,
> and HSTS, then any men in the middle will be obvious and won't be
> installed except for purposes that users tolerate including access
> point login, employment behind corporate firewalls, and living under
> authoritative regimes. In addition, those tunneling schemes will not
> To put it another way, if HTTP replaced IP as the Internet protocol
> without any real improvements in end to end security, then the
> censors and hijackers would apply their tools to HTTP.
I fully agree with all of this, but it leaves the question: what about tunneling DNS in TLS-over-HTTP? The earlier statement about why this would not work (corporations getting MITM certificates from bad actors in the root pile) doesn't actually apply because the client will have a single TLS trust anchor, possibly even one not even in the root pile.
More information about the dns-operations