Attacking networks using DHCP, DNS - probably kills DNSSEC
Steven M. Bellovin
smb at research.att.com
Sat Jun 28 23:15:45 EDT 2003
In message <5.1.1.6.2.20030628124252.033e5600 at idiom.com>, Bill Stewart writes:
>Somebody did an interesting attack on a cable network's customers.
>They cracked the cable company's DHCP server, got it to provide a
>"Connection-specific DNS suffic" pointing to a machine they owned,
>and also told it to use their DNS server.
>This meant that when your machine wanted to look up yahoo.com,
>it would look up yahoo.com.attackersdomain.com instead.
>
>This looks like it has the ability to work around DNSSEC.
>Somebody trying to verify that they'd correctly reached yahoo.com
>would instead verify that they'd correctly reached
>yahoo.com.attackersdomain.com, which can provide all the signatures
>it needs to make this convincing.
>
>So if you're depending on DNSSEC to secure your IPSEC connection,
>do make sure your DNS server doesn't have a suffix of echelon.nsa.gov...
>
No, that's just not true of DNSsec. DNSsec doesn't depend on the
integrity of the connection to your DNS server; rather, the RRsets are
digitally signed. In other words, it works a lot like certificates,
with a trust chain going back to a magic root key. I'm not saying that
there can't be problems with that model, but compromised DNS servers
(and poisoned DNS caches) are among the major threat models it was
designed to deal with. If nothing else, the existence of caching DNS
servers, which are not authoritative for the information they hand out,
makes a transmission-based solution pretty useless.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com (2nd edition of "Firewalls" book)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list