[dns-operations] summary of recent vulnerabilities in DNS security.

[Haya Shulman]

On Tue, Oct 22, 2013 at 6:20 PM, Rubens Kuhl <rubensk at nic.br> wrote:

>
> Which brings me to the topic of resolver-behind-upstream attacks which
> were not commented upon.
> As you know, one of the recommendations of experts and Internet operators,
> following Kaminsky attack, was `either deploy patches or configure your
> resolver to use a secure upstream forwarder`, e.g., OpenDNS was typically
> recommended. The security is established since the resolver is hidden from
> the Internet and sends its requests only via its upstream forwarder.
> This configuration is still believed to be secure and is recommended by
> experts.
>
>
> Would DNSCrypt, supported by OpenDNS, be a possible mitigation to this
> issue ?
>
>
>  As you know we found vulnerabilities in such configuration, and designed
> techniques allowing to find the IP address of the hidden resolver, and then
> to discover its port allocation (the attacks apply to per-destination ports
> recommended in [RFC6056] or to fixed ports).
> This attack can be extremely stealthy and efficient, and applies to
> networks where communication between the resolver and upstream forwarder is
> not over TCP, and therefore can be fragmented (fragmentation of a single
> byte suffices).
>
>
> Would IPSEC between resolver and upstream forward be a possible mitigation
> to this issue ?
>
>
> Sure, both solve the problem. In particular, any secure channel protocol,
between the proxy resolver and an upstream forwarder, prevents the attacks.


> Rubens
>
>


-- 

Haya Shulman

Technische Universität Darmstadt****

FB Informatik/EC SPRIDE****

Mornewegstr. 30****

64293 Darmstadt****

Tel. +49 6151 16-75540****

www.ec-spride.de
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131022/287e0e93/attachment.html>