[FoRK] Poisoned DNS on the increase
Karl Anderson
<kra at monkey.org> on
Mon Feb 18 15:03:41 PST 2008
On 18-Feb-08, at 10:43 AM, Lucas Gonze wrote:
> On Feb 18, 2008 12:47 AM, Udhay Shankar N <udhay at pobox.com> wrote:
>> * (having a poisoned DNS server + trojans to change settings on
>> victim
>> machines) could get you, for example, access to a victim's banking
>> transactions.
>
> This is something on the order of a keylogger. The attacker gets root
> but doesn't let the victim know, preferring to spy on or control the
> victim's future movements. Still, the damage is done when the
> attacker gets root. The DNS poisoning is just a small detail.
>
>> * if you're running an open wireless AP with poisoned DNS servers,
>> you
>> don't even need control of the victim's box.
>
> Good point.
Right, you don't need to break the victim's box, you can break
anything from the router up. Also, you don't have to harvest on the
victim's box at all, and all anomalous network traffic (other than the
bad IP addresses) is also upstream.
Assuming the victim got the proper keys in the first place (shudder),
this is only useful for unencrypted traffic, though, right?
The big problem is OpenID. Domain names were chosen as identifiers
partly because the domain name system is slow and entrenched, it's
harder to steal a service based on domain names (I don't remember who
said this, it's either from the spec or list discussion).
> So how do you defend yourself against DNS poisoning when you're using
> an untrusted DNS? Is there some way to set your own authenticated DNS
> server?
Does it matter so much if *your* DNS is untrusted? *Everything* is
untrusted once it leaves your box. Correct me if I'm wrong, but I
don't see this as a new threat, I see it as a more efficient way to
get at data that wasn't safe in the first place.
More information about the FoRK
mailing list