[dns-operations] summary of recent vulnerabilities in DNS security.

[Rubens Kuhl]

> 
> Which brings me to the topic of resolver-behind-upstream attacks which were not commented upon.
> As you know, one of the recommendations of experts and Internet operators, following Kaminsky attack, was `either deploy patches or configure your resolver to use a secure upstream forwarder`, e.g., OpenDNS was typically recommended. The security is established since the resolver is hidden from the Internet and sends its requests only via its upstream forwarder.
> This configuration is still believed to be secure and is recommended by experts.

Would DNSCrypt, supported by OpenDNS, be a possible mitigation to this issue ? 
> 
> As you know we found vulnerabilities in such configuration, and designed techniques allowing to find the IP address of the hidden resolver, and then to discover its port allocation (the attacks apply to per-destination ports recommended in [RFC6056] or to fixed ports).
> This attack can be extremely stealthy and efficient, and applies to networks where communication between the resolver and upstream forwarder is not over TCP, and therefore can be fragmented (fragmentation of a single byte suffices).

Would IPSEC between resolver and upstream forward be a possible mitigation to this issue ? 


Rubens

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131022/fc7e5c50/attachment.html>