Secure DNS a Hard Sell 142
ebresie writes "Computer Business Review Online has an interesting article about the lack of acceptance for Secure DNS." From the article: "Speaking during a workshop on the technology, Keith Schwalm of Good Harbor Consulting, a former US Secret Service agent, said that even the financial sector, traditional security early-adopters, are not rushing DNSsec."
Nice, but not necessary (Score:5, Interesting)
Re:Nice, but not necessary (Score:5, Informative)
However, there is much more associated with DNS that you can do.
If I am a user, what I want is 100% confidence that I am connecting to the correct server. I'm trusting in the DNS chain all the way up to the root server and then on to the authoritative server. What's to keep an attacker from routing me somewhere that I don't want to go?
A good example is a piece of malware that changes the local DNS cache to point ebay to another server that does a man-in-the-middle attack? To the end user, it's completely invisible.
It's fairly easy to do on a LAN by using one of the mitm tools. What you are doing is setting up a rogue DHCP server and DNS server, then you give the target computer a lease with a machine you control as the DNS server. If you control DNS, you can tell them to go anywhere you want, including sniffing their traffic, altering the content of the traffic enroute, basically whatever you want.
Re:Nice, but not necessary (Score:4, Informative)
I'm not saying the authentication protocols already available (say in ssl) are entirely satisfactory, but duplicating them in DNS won't make them any better.
Re:Nice, but not necessary (Score:3, Interesting)
To spoof you without secure DNS, all
Re:Nice, but not necessary (Score:2, Insightful)
Those are beyond salvation and I don't think that secure DNS was developed with them in mind.
I mean, someone which will accept following an hyperlink coming on a html e-mail from somebody unknown to him that says "your.bank.of.confidence" while obviously opening a browser pointing to "your.hacker.of.the.day" won't benefit any more from using secure DNS.
Re:Nice, but not necessary (Score:2)
And, to be honest, I like SSL better than DNSSec because ther
Re:Nice, but not necessary (Score:4, Insightful)
But starting with a corrupted computer to begin with is a bad example anyway. The malware could simply substitute the ie.exe program for a new one that show what he want.
Re:Nice, but not necessary (Score:2, Insightful)
Re:Nice, but not necessary (Score:2, Insightful)
Re:Nice, but not necessary (Score:2)
Your scenario is plausible, but if someone is in a position to execute a Man in the Middle attack, then they can just snoop your traffic by redirecting it through a proxy under their control...Why bother with a DNS redirect? Cache poisoning exploits have been around forever, but they're not all that common either.
I think the reason
Re:Nice, but not necessary (Score:2)
That's your problem though, not mine as a server admin. Besides, a simple SSL server would foil that attack and pop up a warning that the server names don't match the certificate. Again, if you as a user are so completely braindead that you ignore the warning then it's your own damn fault for getting your information compr
Re:Nice, but not necessary (Score:1)
If I am truely in the middle, i can rewrite URL, present other certificates etc, ( spoof the certificate authority too even ), all this software technology exists Load balancers content switches ssl concentrators all have to legitmately do this now.
All that being said, this is currently not the biggest threat, although pull
Re:Nice, but not necessary (Score:2)
An SSL certificate.
The cert name and the DNS name must agree.
Re:Nice, but not necessary (Score:1)
one way they filter sites is to return false dns information for lets say one site: no-ip.com:
and request it again:
Re:Nice, but not necessary (Score:2)
RUMOR has it that Verisign can't sign the records fast enough, however. Public key operations are so slow, that by they can't get through the whole
Re:Nice, but not necessary (Score:1)
about 1 hour on a fast AMD system.
The distribution of the zone is a bigger issue, but most of the time only fragments of the zone would be signed at the same time.
Re:Nice, but not necessary (Score:2)
That's not true... They have indeed signed the whole .com zone in practice on some fairly decent machines and it was on the order of hours (if I recall; I think 6), not months which is the more likely signature life time they'd pick
Re:Nice, but not necessary (Score:1)
Spoofed DNS servers (Score:2)
Re:Nice, but not necessary-A royal pane. (Score:3, Funny)
Hard to understand (Score:5, Insightful)
As it is now, I have my users going to their registrars and "deleting the 'A' records because: "There is no A on my website."
Re:Hard to understand (Score:2)
bigger fear (Score:5, Interesting)
I run my own DNS server at home because I have a bigger fear that my ISP's DNS may be hijacked rather than my bank. It seems like that would be the easiest hole to crack for hackers.
I would hope that if my bank's DNS servers were hijacked that they would work with me to get any money I lost back. However, if my ISP's DNS servers were hijacked, I don't know that the bank would be as cooperative.
KeithRe:bigger fear (Score:5, Interesting)
Re:bigger fear (Score:5, Informative)
You will get a error dialog in the browser because YOUR browser certificate store probably doesn't have the signing CA certificate the attacker used to create the SSL cert for the rogue web server in the first place. But that is a different problem altogether.
Re:bigger fear (Score:2)
Re:bigger fear (Score:3, Interesting)
Re:bigger fear (Score:3)
Re:bigger fear (Score:5, Insightful)
Re:bigger fear (Score:1)
Quite a bit actually. I quote Godaddy.com's Wildcard High Assurance 256bit SSL Cert "The Validation Process verifies: domain name and domain control; identity and authority of requesting person or company". I think some of the personal verification steps include credit reports and the like. Funny that I was JUST thinking of this last night.
Re:bigger fear (Score:2)
Thawte just wanted a fax of our phone bill. Ours even had the wrong company name. I told them to look up our newly filed "doing business as" statement, but I don't know if they did.
Maybe if we claimed to be Chase.com they would care.
Re:bigger fear (Score:2)
After all, if they didn't, they wouldn't remain in the browsers' root CA list for very long.
Re:bigger fear (Score:2)
www.spoofedbank.com that looks like Bank of America can get a certificate on their own and the end user wouldn't even know. How many non-slashdotters never or even know how to read a certificate? They just clicky through.
Of course there would be somewhat of a trail if the cert is signed by a CA and that's the only way they won't get a popup.
Re:bigger fear (Score:2)
Re:bigger fear (Score:1)
I do this with my machine at work too, I use ssh with a public/private key set-up. If someone highjacks my machine I will be informed when I log on --- actual
Re:bigger fear (Score:2, Interesting)
The lock in the browser confirms that the site in the URL is the one serving the page.
Re:bigger fear (Score:1)
Re:bigger fear (Score:2)
Seems like a more sane solution would be to add your banks IP address to your
Re:bigger fear (Score:2)
If the roots get signed, they'll certainly going to be using off-line signing so the private half of the signing key won't be kept on the servers themselves. Thus, an attacker couldn't modify the data without people that were already aware of the public key wouldn't detect (and if they tried to change the key validating resolvers with the root keys installed as trust anchors would notice the difference and ignore the answers; end result a
Re:bigger fear (Score:2)
Same as Sony (Score:5, Insightful)
One could have said the same thing about music CD DRM (e.g. the Sony XCP RootKit) -- or the 9/11 terrorist attacks for that matter.
There's not a problem with it -- until there's a big problem with it. Then everyone asks why wasn't something done to protect us against it?
Re:Same as Sony (Score:2)
It's true, nothing gets the ol' blood pumping for action [wikipedia.org] than a good Reichstag fire [wikipedia.org]!
secure domains (Score:4, Funny)
So you have domain, secure domain, and when that gets compromised, you will then have super secure domains, ultra secure domains, and supermax domains?
Not gonna happen anytime soon. (Score:2, Informative)
Re:Not gonna happen anytime soon. (Score:1)
A solution looking for a problem? (Score:4, Insightful)
We already have authentication systems. Why should DNS, which every website uses, be doing something which only a tiny fraction of websites need?
Besides -- technology can't stop phishing. A combination of education, authentication and client software that can with 100% reliability inform the user whether authentication has happened is the answer. Authentication is by far the easiest problem of the three. Education is more or less impossible, and reliably informing users is next to impossible. (In a web browser, anyway. If you let websites display images and run active content, how do you stop them fooling a user, even a well educated one? How do you guarantee it's impossible to do so?)
DNS, Phishing, and secure DNS (Score:2)
Changing the way authentication happens from 2-factor to 3-factor is the only viable means for defeating most of the current phishing sites, but a slight expansion to some of the new MIM sites will be able to manage that as well. Then what? DNS is definitely not th
A Modest Proposal (Score:4, Insightful)
Re:A Modest Proposal (Score:3, Insightful)
The thing is that this isn't really feasable, because you have to replace all the client software to make it work - and at that point you might as well mandate IPV6 with IPSEC.
Think about it: DNS is only as secure as its weakest link, and that link is the desktop. If your suggestion is implemented without making every desktop aware of the
Perhaps better marketing? (Score:4, Interesting)
Security is always harder to sell than most products, because you are usually trying to convince a customer to spend more time and money for something without out a tangiable return. (If my DNS hasn't been spoofed yet, why pay money? And even if they do secure it, they don't have an easy way to say: "this saved us X dollars this year, and thus was worth the investment")
Add in an "official" website which is hard to read, and painful on the eyes, and you've got a hard sell indeed. As petty as it sounds, a better web presence might help ease acceptance.
Re:Perhaps better marketing? (Score:2)
Eric
Read my Invisible Fence Guide [ericgiguere.com]
Insurances too (Score:1)
Re:Perhaps better marketing? (Score:2)
[we proudly use Secure DNS]
Soon everyone would want it.
DNS; not so hard really (Score:1)
I thought about doing Secure DNS but seems highly irrelevant on a private home network.
at the end of the day, it is lazyness, lack of understanding the Whole PictureTM and the old mantra of "Why change what works already".
Re:DNS; not so hard really (Score:2)
The biggest killer is having to pay verisign for the privilege.. Domain $15, certificate to authenticate domain $100. Yeah, that'll fly..
dnssec and nym ala dan (Score:5, Interesting)
http://cr.yp.to/djbdns/forgery.html [cr.yp.to]
You might not like Dan, but he doesn't get things wrong very often.
Re:dnssec and nym ala dan (Score:1, Insightful)
Re:dnssec and nym ala dan (Score:3, Interesting)
I find Dan highly amusing, and would find a world without him a sadder place, but that's an opinion piece, without an iota of basis for any of the assertions he makes.
The one factoid he presents is the Microsoft ActiveX key spoof, which is indeed interesting. It also isn't addressed by his proposal, so I'm not sure what good it is. As for querying multiple servers to validate a lookup, that's a fun idea, but you still haven't cryptographically authenticated the information, and all it wo
Re:dnssec and nym ala dan (Score:2)
BIND "okay"? (Score:2)
"Not connected to the internet", then? BIND is notorious for remote root exploits [google.com]. This by you is "okay"?
Re:BIND "okay"? (Score:2)
Re:BIND "okay"? (Score:3, Informative)
Do you mean BIND 8 or BIND 9? Looking at your google query, I see about four different hits that actually have to do with BIND, and they're all about BIND 8, and they are all the same root exploit, not four different root exploits. Along with them is a root exploit for tcpdump - are you proposing that we stop using tcpdump as well?
Seriously, if you want an open source name server, BIND 9 is an amazin
Re:BIND "okay"? (Score:2)
Boo-hoo all you want about automated builds and patch distributions. I'm a big fan of keeping things simple. With BIND, I just install the
Re:dnssec and nym ala dan (Score:2, Informative)
Unfortunately, he doesn't get things right very often, either. His programs are generally thought to be somewhat secure (only "somewhat" because he likes to blame found vulnerabilities on the underlying OS, which does jack all to actually fix the problem), but they tend to earn that reputation by only implementing small subsets of their respective protocols. A DNS server that won't sync to another isn't very useful to most people, but Da
Re:dnssec and nym ala dan (Score:2)
Money talks (Score:4, Insightful)
So in the end, economics will drive SecDNS more than anything else. It seems like a good idea though for some institutions to go to a more secure DNS format. Let's face it: Fred's House of Flowers probably doesn't need as secure a domain as Citicorp or the CIA. The Internet ends up becoming a two-level affair, with the majority of sites being regular DNS sites and corporations and such using the more secure DNS setup.
Re:Money talks (Score:2)
Re:Money talks (Score:2)
Redundant (Score:4, Insightful)
The article says:
It's possible that a web surfer could think they are visiting their bank or an auction site and hand over their sensitive data, and it would be impossible to tell they were at a malicious site.
I disagree: there is a good way to tell if that is your bank you are talking to; check that they have the proper SSL certificate for their domain. Or better yet, just look at the color of the address bar in Firefox. If your bank isn't using SSL already, there are reasons far beyond DNS that they should be!
Also, even with SecDNS in place, physical man-in-the-middle or route poisoning attacks could intercept the communication at the IP level, making SecDNS marginally useful at best. In my opinion, the proper solution would be to encourage more widespread adoption of the existing SSL cert solution for services other than HTTPS. (e.g. SMTP, POP, FTP) Also, it would be good for the industry to have some additional certificate authorities with lower certification prices added to the major browsers' default trust list.
Re:Redundant (Score:3, Interesting)
Once you've got a DNSSEC-enabled zone, you can put interesting things into it, like CERT RRs with SSH keys. The advantage is clear: you only pay for the delegation (the domain registration fee), and not for each server certificate individually.
Apart from the threat to existing CA business models, there are also some unsolved techn
Helps in securing mail (DKIM) and other protocols (Score:2)
with SSL in todays browsers is a whole 'nother topic....
DNSSEC helps secure all DNS-based protocols, even those that couldn't adopt SSL/TLS.
DKIM (DomainKeys Identified Mail) is the lastest case in point, and if adopted will help drive DNSSEC deployment since it relies on DNS to help stop spam etc.
http://dki [dkim.org]
dear somebody skilled. (Score:3, Funny)
its called forced addaptation.
Re:dear somebody skilled. (Score:2)
On the other hand, there are various places around said University where you can plug in your cat5 and get to the Internet without VPN. Not the places where it's marked as OK to do so, mind you, mostly extra jacks in computer labs. I have a laptop but no wifi, and though I have no intention of doing anything illegal
You can't get it. (Score:4, Insightful)
On top of that, even if you ignore the signing of the root key, by and large you can't get ad-hoc zone signing - if you want to secure a zone, everybody who's going to see it as secure needs a copy of the zone key, because your top level domain (e.g.,
On top of that, many TLD providers seem to want signed zones to be a value-added option rather than basic functionality. So as with RSA, lo those many years ago, adoption will be slow because people want to monetize it, rather than seeing it as basic functionality that has to be there.
So it's no surprise that the end user isn't interested in it yet - they can't get it even if they are interested.
Re:You can't get it. (Score:1)
Re:You can't get it. (Score:2)
Re:You can't get it. (Score:2)
Am I a bad person if this was the first thing I thought of? (Space added so teh sl4sh doesn't auto-generate link)
Re:You can't get it. (Score:2)
Re:You can't get it. (Score:2)
On top of that, even if you ignore the signing of the root key, by and large you can't get ad-hoc zone signing - if you want to secure a zone, everybody who's going to see it as secure needs a copy of the zone key, because your top level domain (e.g., .com) isn't in a signed zone.
FYI, there is at least some work being done on getting things signed by something other than your DNS parent. Look for the internet-drafts on "DLV" and the "lookaside" support in bind. It's unclear if this sort of work will a
Comment removed (Score:4, Insightful)
Re:A real shame too (Score:2)
Please explain.
SSL is designed to ensure that DNS spoofing will cause SSL authentication failure. An attacker needs to hijack the domain name and get a matching (signed, trusted) certificate for that domain name in order t
Re: (Score:2)
Re:A real shame too (Score:2)
Incorrect. The browser checks the certificate domain against the intended domain. The result of a DNS lookup is not part of the trust equation. This is the great thing about end-to-end security, everything else in the path doesn't even matter.
I agree that the way domains and certificates are purchased is ridiculous. For God's sake why are we still proving email addr
Re: (Score:2)
Reason for not rushing adoption (Score:2, Informative)
H
Actually, existing DNS can be very insecure... (Score:4, Informative)
So for example, to hijack www.hsbc.com, you don't have to worry just about hsbc's name servers, com's name servers, and the root name servers. You also have to worry about the other servers that hsbc and com have deligated to, and the servers that they have deligated to, and on and on.
It's a hard sell because it's not secure (Score:2)
DNSSEC is not secure because it doesn't address the fundimental issues with security and nameservers.
* It doesn't stop cache poisoning attacks- a client resquesting a name from a poisoned cache won't get the key so they won't know anything is wrong.
* Breaking the nameserver itself gives you the keys as the nameserver is required to sign the resource records, so in this case, it gives people a false sense of security that they don't have!
* Finally, as it stan
Re:It's a hard sell because it's not secure (Score:2)
I'm not sure you've read the specs...
It doesn't stop cache poisoning attacks- a client resquesting a name from a poisoned cache won't get the key so they won't know anything is wrong.
Like all security, you need a trust-anchor root. This is the same way that your browser has a list of trusted root CA certificates. DNSsec requires something similar: a list of keys for roots that you trust. It a can se
Re:It's a hard sell because it's not secure (Score:2)
What gives you that idea?
Like all security, you need a trust-anchor root.
Wrong. You need what RFC 4033 calls a "trust anchor" if you want to prove identity (that the resource is what it claims to be), not if you want to prove authority (that the resource is being generated by the correct host) or integrity (that the resource data hasn't been altered). Go read ISBN 0471117099 for practical algorithms if you like.
Meanwhile, existing attacks on DNS have involved subverting
Re:It's a hard sell because it's not secure (Score:2)
true
not if you want to prove authority (that the resource is being generated by the correct host)
The resource can't be signed by an incorrect host (holder of a key; not a host) unless the key has been stolen or broken. Obviously, if you don't have a trust anchor then an attacker can generate any key it wants if you'll believe it. With a trust anchor, however, you won't believe it.
or
Deployment in Sweden (Score:2)
http://dnssec.nic.se/ [dnssec.nic.se]
Tutorial/howto: http://www.ripe.net/disi/dnssec_howto/ [ripe.net]
$ dig @bind.dnssec.se www.ripe.net +retry=1 +dnssec +multiline
and look for the "flags" to include "ad":
http://www.dnssec-deployment.org/ [dnssec-deployment.org]
Threat Analysis Of The Domain Name System
IETF RFC 3833 http://www.rfc-archive.org/getrfc.php?rfc=38 [rfc-archive.org]
Re:Deployment in Sweden (Score:2)
Why?? (Score:2, Insightful)
Re:Mostly OT: How long for MX record propagation? (Score:2)
My own attitiude to people who accept and run such systems is simply "screw 'em". But you might want to be a little more caring than that ...
What you can do is add your new MX records and leave the old ones in place, with a lower priority. Then just monitor the traffic to the ol
Re:Mostly OT: How long for MX record propagation? (Score:2)
Re:Mostly OT: How long for MX record propagation? (Score:2)
It seems some ISPs not only ignore TTL, they aggressively cache so the first version of a domain they see is the one they always use, until someone complains.
Re:Mostly OT: How long for MX record propagation? (Score:1)
- Configure a temp mailserver that forwards your companies email to the current MX
- Change the MX records to point to this server
- As the TTL expires and changed propogate you start seeing hits on your server. It still just forwards it to the old MX..
- Verify the headers of the email you receive, you can see if it's delivered via your MX or not
- When it seems all mail comes through your temp MX you either reconfigure it the way you want it or drop in a new one with the desired config
Then you
Re:OT: e.root-servers.net (Score:1)
Re:Security is always a hard sell (Score:2)
Why are government agencies that have a responsibilty for security using non-secure Windows platforms?
Re:Resistance from the DNS registries (Score:2)
Unfortunately true, though you could delete all those records and be subject to name injection. The NXT records (actually called "NSEC" by the way not NXT) just protect against proof of non existence. There is a new version called NSEC3 which uses hashed names to get around the data leak.