[dns-operations] summary of recent vulnerabilities in DNS security.
haya.shulman at gmail.com
Tue Oct 22 15:57:41 UTC 2013
On Tue, Oct 22, 2013 at 6:20 PM, Rubens Kuhl <rubensk at nic.br> wrote:
> Which brings me to the topic of resolver-behind-upstream attacks which
> were not commented upon.
> As you know, one of the recommendations of experts and Internet operators,
> following Kaminsky attack, was `either deploy patches or configure your
> resolver to use a secure upstream forwarder`, e.g., OpenDNS was typically
> recommended. The security is established since the resolver is hidden from
> the Internet and sends its requests only via its upstream forwarder.
> This configuration is still believed to be secure and is recommended by
> Would DNSCrypt, supported by OpenDNS, be a possible mitigation to this
> issue ?
> As you know we found vulnerabilities in such configuration, and designed
> techniques allowing to find the IP address of the hidden resolver, and then
> to discover its port allocation (the attacks apply to per-destination ports
> recommended in [RFC6056] or to fixed ports).
> This attack can be extremely stealthy and efficient, and applies to
> networks where communication between the resolver and upstream forwarder is
> not over TCP, and therefore can be fragmented (fragmentation of a single
> byte suffices).
> Would IPSEC between resolver and upstream forward be a possible mitigation
> to this issue ?
> Sure, both solve the problem. In particular, any secure channel protocol,
between the proxy resolver and an upstream forwarder, prevents the attacks.
Technische Universität Darmstadt****
FB Informatik/EC SPRIDE****
Tel. +49 6151 16-75540****
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations