ietf
[Top] [All Lists]

Re: Securing DNS Re: IAB statement on the RPKI.

2010-02-19 11:16:40
The point is not to protect the DNS. The point is to protect the
people. And that means that maybe you don't want your machine to
resolve every domain name.


The typical attack these days is to direct a user to a malware site.
This is usually spam but can easily be a malicious redirect or inline
on a hacked Web site.

Once the user is on the malware site they are either asked to install
the malware or the site does a driveby download on them.

Other sites we would like to avoid visiting are identified phishing sites.


Sending the malware through email pretty much fails these days as very
few email services will deliver executable attachments. Thus the need
for the malware site approach.




On Thu, Feb 18, 2010 at 6:53 PM, Paul Wouters <paul(_at_)xelerance(_dot_)com> 
wrote:
On Wed, 17 Feb 2010, Phillip Hallam-Baker wrote:

One of the big fallacies of DNSSEC is the idea that providing clients
access to the unfiltered authoritative DNS source is the same as
securing the DNS. That was the case when DNSSEC was designed, today
most endpoints would prefer to opt to connect to some sort of filtered
DNS with malware and crimeware sites removed.

"most"? That's quite the claim. If so, then opendns and friends would be
much busier rewriting our DNS packets.

The biggest DNS security vulnerability is in the information that is
input to the DNS publication service. Most hijacking schemes have been
due to attacks on registrars.

I thought the most used hijacking schemes used dancing hamsters or nude
Britney
Spears promises to install a new version of SYSTEM32\etc\hosts. In fact, it
was
so bad that Microsoft even hardcoded their own update servers IP's in their
own DLL's.

I have only heard of 2 or 3 attacks via registrar accounts. I've heard of
many
more compromised caches and hosts files.

But I look forward to your substantiation that "most" of us prefer our DNS
to
be rewritten for security and saving us from typos by redirecting us to
advertisement servers (malicious or not)

Paul




-- 
-- 
New Website: http://hallambaker.com/
View Quantum of Stupid podcasts, Tuesday and Thursday each week,
http://quantumofstupid.com/
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf