[147715] in North American Network Operators' Group
Re: what if...?
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Dec 20 11:55:29 2011
To: "Eduardo A. =?iso-8859-1?b?U3XhcmV6?=" <esuarez@fcaglp.fcaglp.unlp.edu.ar>
In-Reply-To: Your message of "Tue, 20 Dec 2011 13:37:23 -0300."
<20111220133723.cfjv8g999ssoc8gg@fcaglp.fcaglp.unlp.edu.ar>
From: Valdis.Kletnieks@vt.edu
Date: Tue, 20 Dec 2011 11:53:12 -0500
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1324399992_2910P
Content-Type: text/plain; charset=us-ascii
On Tue, 20 Dec 2011 13:37:23 -0300, "Eduardo A. =?iso-8859-1?b?U3XhcmV6?=" said:
> what if evil guys hack my mom ISP DNS servers and use RPZ to redirect
> traffic from mom_bank.com to evil.com?
>
> How can she detect this?
The snarky answer is "If your mom has to ask how she can detect this, she's
probably going to be unable to do so".
The more technically correct answer is that you can check the IP and TTL as
returned by your local caching nameserver, and compare them to the values
reported from the authoritative NS for the zone. Of course, this means you
have to hit the authoritative server, which sort of defeats the purpose of DNS
caching.
Or you can deploy DNSSEC.
Or you can deploy SSL (not perfect, but it raises the bar considerably).
Or you can google for "DNS RPZ" and start reading - the top hit seems to be
Paul Vixie's announcement: https://www.isc.org/community/blog/201007/taking-back-dns-0
and start reading - as about the 4th or 5th commenter points out, the threat
model is *no* different than a DNS server that forces in its own zones. The
commenter is talking in the context of a provider replacing a zone, but it's the
same issue if a black hat hacks in a zone.
--==_Exmh_1324399992_2910P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFO8L14cC3lWbTT17ARAnZBAJ0SqcYZl6VwYY2GNR77hygZHQjSlwCgxyN3
8a+bgE4B7NAMwQrqOKCbtys=
=ad4j
-----END PGP SIGNATURE-----
--==_Exmh_1324399992_2910P--
