[dns-operations] non-secure dynamic updates

Richard Clayton richard at highwayman.com
Wed Dec 14 13:02:15 UTC 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In message <58510CCD.2060302 at fsi.io>, Paul Vixie <vixie at fsi.io> writes

>when we were working on RFC 2136 i had not yet got it through my head
>that most operators would run with defaults, and many implementors would
>provide bad defaults.
>
>the paper referenced  below, published a couple of weeks back, tells an
>unfortunate tale. and i've heard that notification and remediation is
>going about as poorly as it usually does.
>
>https://dl.acm.org/citation.cfm?id=2987477
>
>title: <<Zone Poisoning: The How and Where of Non-Secure DNS Dynamic
>Updates>>

to emphasise Paul's remark about remediation ... I attended a Dagstuhl
workshop with the researchers and we chatted about their progress.

They have been using whois data to attempt to reach domain owners to
tell them of the risk but with somewhat limited success (c 20% IIRC). It
will surprise no-one here that these mailboxes are not regularly read
with appropriate diligence.

- From my experience (such as it is) I explained various other approaches
they might take for getting hold of a relevant sysadmin, especially for
some of the more interesting domain names....

... however this may be something that brand-owners might need to take
on (or at least proactively monitor for). If example.com is insecure
then the badguys can create

        lloydsbank.com.securityteam.example.com
        paypal.com.example.com
        gmail.access.example.com
        amazon.co.uk.example.com

and whatever else interests them.

This type of hostname turns up pretty regularly in phishing URL lists,
I'd always assumed this was due to name server configuration compromise
(after all, the criminals regularly have the run of all other aspects of
the machine config), but now I am less sure.

Of course if bank.com is insecure (and the researchers found 9 of these)
then they get to create

        newlogin.bank.com

(and make it HTTPS) and off they go!

Perhaps someone should generate an RPZ list for all of the vulnerable
domains -- would 600 or so domains from the Alexa 1M really be missed ?
though I expect the only way of really getting people's attention would
be for browsers to put up warnings (as well they might) for every URL
within the relevant domain ...

- -- 
Dr Richard Clayton                               <richard.clayton at cl.cam.ac.uk>
Director, Cambridge Cybercrime Centre                mobile: +44 (0)7887 794090
Computer Laboratory, University of Cambridge, CB3 0FD   tel: +44 (0)1223 763570

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBWFFC1zu8z1Kouez7EQK59gCdE3qefFKZMTj4fop3Z48taKjSDjIAn3bg
H+/SF7c6wbGh2Nk541ZCMQlA
=/KL/
-----END PGP SIGNATURE-----

More information about the dns-operations mailing list