[147722] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: what if...?

daemon@ATHENA.MIT.EDU (bmanning@vacation.karoshi.com)
Tue Dec 20 12:18:12 2011

Date: Tue, 20 Dec 2011 17:16:06 +0000
From: bmanning@vacation.karoshi.com
To: Valdis.Kletnieks@vt.edu
In-Reply-To: <4930.1324399992@turing-police.cc.vt.edu>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org

On Tue, Dec 20, 2011 at 11:53:12AM -0500, Valdis.Kletnieks@vt.edu wrote:
> On Tue, 20 Dec 2011 13:37:23 -0300, "Eduardo A. =?iso-8859-1?b?U3XhcmV6?=" said:
> > what if evil guys hack my mom ISP DNS servers and use RPZ to redirect
> > traffic from mom_bank.com to evil.com?
> >
> > How can she detect this?
> 
> The snarky answer is "If your mom has to ask how she can detect this, she's
> probably going to be unable to do so".
> 
> The more technically correct answer is that you can check the IP and TTL as
> returned by your local caching nameserver, and compare them to the values
> reported from the authoritative NS for the zone.  Of course, this means you
> have to hit the authoritative server, which sort of defeats the purpose of DNS
> caching.
> 
> Or you can deploy DNSSEC.
> 
> Or you can deploy SSL (not perfect, but it raises the bar considerably).
> 
> Or you can google for "DNS RPZ" and start reading - the top hit seems to be
> Paul Vixie's announcement: https://www.isc.org/community/blog/201007/taking-back-dns-0
> and start reading - as about the 4th or 5th commenter points out, the threat
> model is *no* different than a DNS server that forces in its own zones. The
> commenter is talking in the context of a provider replacing a zone, but it's the
> same issue if a black hat hacks in a zone.
> 

	the one difference is that ISC will be shipping RPZ enabled code v.
	the blackhat having to hack the machine and modify the configuration.

	in the new BIND w/ RPZ,  it will be much harder to determine when
	RPZ has been tweeked...   Lowers the bar considerably.   RPZ sucks

/bill
home help back first fref pref prev next nref lref last post