[dns-operations] summary of recent vulnerabilities in DNS security.

Vernon Schryver vjs at rhyolite.com
Sat Oct 19 15:15:52 UTC 2013


> From: Haya Shulman <haya.shulman at gmail.com>

> We (me and my phd advisor Prof Amir Herzberg) recently found a number of
> new DNS vulnerabilities, which apply to patched and standard DNS resolvers,
> ...

> Recommendations:
> ...

The complete absense of any mention of DNSSEC among those recommendations
(or elsewhere) reads like an implicit claim that DNSSEC would not
help.  Even if that claim was not intended, would it be accurate?

Would DNSSEC make any of recommendations less necessary or perhaps
even moot?  If DNSSEC by itself would be effective against cache
poisoning, then isn't it among the recommendations, especially for
"Resolver-behind-Upstream"?  Why aren't efforts to protect port
randomization, hide hidden servers and so forth like trying to make
it safe to use .rhosts and /etc/hosts.equiv files by filtering ICMP
dedirects and IP source routing, and strengthening TCP initial sequence
numbers?

It's not that filtering ICMP redirects, etc. are wrong, but I think
today those things are used for availability instead of data integrity
(or authentication and authorization), and small leaks are not
always and everywhere seen as catastrophes.  In fact, haven't ICMP
redirects been reborn as fundamental parts of IPv6?


Vernon Schryver    vjs at rhyolite.com



More information about the dns-operations mailing list