[dns-operations] summary of recent vulnerabilities in DNS security.
daniel at digsys.bg
Sat Oct 26 11:31:20 UTC 2013
On 26.10.2013, at 12:37, Haya Shulman <haya.shulman at gmail.com> wrote:
>> This is essentially an IP packet modification vulnerability and in order
>> to do these, you don't even need fragmentation. This might happen even
>> due to malfunctioning network adapter or other network device, not
>> necessarily an "attack". One of the reasons for DNSSEC existence is to
>> prevent processing of "damaged" DNS data, with malicious origin or not.
>> If you are concerned with improperly assembled IP packets, the DNS
>> community is the wrong place to ask for a fix. The DNS community can
>> only make sure "their" protocol takes care of such issues, and issues
>> like this are totally addressed by technologies such as DNSSEC, TSIG
>> etc. But the fundamental "fix" for this issue has to happen in the
>> TCP/IP stack.
> IP does not, and was not designed to, guarantee security - only best effort end-to-end delivery. The discussion was if Eastlake cookies can prevent the attacks: the example I showed was a legitimate way to apply IP fragmentation (which is a feature of IP - it is not a bug) to foil the protection offered by Eastlate cookies and to inject spoofed content into the DNS response (despite the use of Eastlake cookies for protection). This should be of interest to DNS community, unless you argue that the DNS community should rely on IP layer for security of DNS.
There is a technology, designed to handle this and other "problems" of DNS - well known as DNSSEC.
Many here, including me argue that instead of applying medicine that "cures" the symptoms, we cure the disease instead.
But, just like with the human medicine, there are apparently agendas that suggest keeping these symptomatic threat mento.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations