DNS is critical internet infrastructure. While security steps have been taken to make DNS attacks harder (mostly not accepting records you didn't ask for and source port randomization) DNS Is still a high value target.
While SSL does provide some projection for websites, all but a very small percentage of the most careful users will miss a http to https handoff to a openssl verified website with a small typo in it.
In an ideal world the combination of protections against cache poisoning and source port randomization makes a DNS attack very difficult, around 1 in 4 billion (2^32 actually). Many things can go wrong, for instance it's not uncommon for home routers running NAT to take the very carefully random source port and rewrite it to a predictable port. If the source port can be predicted then the odds drop to 1 in 65,535. Of course a successful man in the middle (MitM) attack makes DNS a convenient way for an attacker to siphon out only the parts he wants (like a login) while making it much harder to detect since all the rest of the traffic look completely normal.
Thus for good end to end protection DNSSEC is a good step in the right direction. If interested please see my other DNSSEC posts for how to fix a (linux, OSX, or Windows) client or bind based DNS server.
No comments:
Post a Comment