Re: Securing DNS Re: IAB statement on the RPKI.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The point is not to protect the DNS. The point is to protect the
people. And that means that maybe you don't want your machine to
resolve every domain name.


The typical attack these days is to direct a user to a malware site.
This is usually spam but can easily be a malicious redirect or inline
on a hacked Web site.

Once the user is on the malware site they are either asked to install
the malware or the site does a driveby download on them.

Other sites we would like to avoid visiting are identified phishing sites.


Sending the malware through email pretty much fails these days as very
few email services will deliver executable attachments. Thus the need
for the malware site approach.




On Thu, Feb 18, 2010 at 6:53 PM, Paul Wouters <paul@xxxxxxxxxxxxx> wrote:
> On Wed, 17 Feb 2010, Phillip Hallam-Baker wrote:
>
>> One of the big fallacies of DNSSEC is the idea that providing clients
>> access to the unfiltered authoritative DNS source is the same as
>> securing the DNS. That was the case when DNSSEC was designed, today
>> most endpoints would prefer to opt to connect to some sort of filtered
>> DNS with malware and crimeware sites removed.
>
> "most"? That's quite the claim. If so, then opendns and friends would be
> much busier rewriting our DNS packets.
>
>> The biggest DNS security vulnerability is in the information that is
>> input to the DNS publication service. Most hijacking schemes have been
>> due to attacks on registrars.
>
> I thought the most used hijacking schemes used dancing hamsters or nude
> Britney
> Spears promises to install a new version of SYSTEM32\etc\hosts. In fact, it
> was
> so bad that Microsoft even hardcoded their own update servers IP's in their
> own DLL's.
>
> I have only heard of 2 or 3 attacks via registrar accounts. I've heard of
> many
> more compromised caches and hosts files.
>
> But I look forward to your substantiation that "most" of us prefer our DNS
> to
> be rewritten for security and saving us from typos by redirecting us to
> advertisement servers (malicious or not)
>
> Paul
>



-- 
-- 
New Website: http://hallambaker.com/
View Quantum of Stupid podcasts, Tuesday and Thursday each week,
http://quantumofstupid.com/
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]