[97963] in North American Network Operators' Group
RE: DNS Hijacking by Cox
daemon@ATHENA.MIT.EDU (Marcus H. Sachs)
Sun Jul 22 22:27:21 2007
From: "Marcus H. Sachs" <marc@sachsfamily.net>
To: <nanog@merit.edu>
Date: Sun, 22 Jul 2007 22:04:50 -0400
In-reply-to: <20070723014620.012AA766082@berkshire.machshav.com>
Errors-To: owner-nanog@merit.edu
DNSSEC provides source authenticity and data integrity. You may get a bogus
answer, but with DNSSEC in place at least you have a way of verifying the
bogosity (is that a word?) of the reply.
I agree with Steve, DNSSEC won't stop these tricks but it makes them
detectable.
I'm a Cox user at home but I have my Linksys home router configured to use
DNS servers of my own choosing rather than Cox' choice. I also tunnel my
email through SSH to a mail server I control so that I'm not blocked by
their port 25 filters.
Marc
-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
Steven M. Bellovin
Sent: Sunday, July 22, 2007 9:46 PM
To: Patrick W. Gilmore
Cc: nanog@merit.edu; Patrick W. Gilmore
Subject: Re: DNS Hijacking by Cox
On Sun, 22 Jul 2007 21:40:05 -0400
"Patrick W. Gilmore" <patrick@ianai.net> wrote:
>
> On Jul 22, 2007, at 9:29 PM, Steven M. Bellovin wrote:
> > On Sun, 22 Jul 2007 14:56:13 -0700
> > "Andrew Matthews" <exstatica@gmail.com> wrote:
> >
> >> It looks like cox is hijacking dns for irc servers.
> >>
> > And people wonder why I support DNSsec....
>
> Steve,
>
> One of us is confused. It might be me, but right now I think it's
> you.
>
> To be clear, here is the situation as I understand it: Cox has
> configured their recursive name servers such that when an end user
> queries the recursive server for a specific host name (names?), the
> recursive server responds with an IP address the host's owner did not
> configure.
>
> How exactly is DNSSEC going to stop them from doing this?
>
If my host expects the response to be signed and it isn't, my host can
scream bloody murder. The whole point of DNSSEC is to prevent random
changes to DNS replies, whether by hackers or by ISPs.
Yes, they can change it, but they can't change it without being caught.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
