Attacking networks using DHCP, DNS - probably kills DNSSEC NOT

bear bear at sonic.net
Mon Jun 30 12:10:24 EDT 2003 


On Mon, 30 Jun 2003, Simon Josefsson wrote:

>Bill Stewart <bill.stewart at pobox.com> writes:
>
>>>* Your laptop see and uses the name "yahoo.com.attackersdomain.com".
>>>   You may be able to verify this using your DNSSEC root key, if the
>>>   attackersdomain.com people have set up DNSSEC for their spoofed
>>>   entries, but unless you are using bad software or judgment, you will
>>>   not confuse this for the real "yahoo.com".
>>
>> The DNS suffix business is designed so that your laptop tries
>> to use "yahoo.com.attackersdomain.com", either before "yahoo.com"
>> or after unsuccessfully trying "yahoo.com", depending on implementation.
>> It may be bad judgement, but it's designed to support intranet sites
>> for domains that want their web browsers and email to let you
>> refer to "marketing" as opposed to "marketing.webservers.example.com",
>> and Netscape-derived browsers support it as well as IE.
>
>It can be a useful feature, but it does not circumvent DNSSEC in any
>way, that I can see.  DNSSEC see yahoo.com.attackersdomain.com and can
>verify that the IP addresses for that host are the one that the owner
>of the y.c.a.c domain publishes, and that is what DNSSEC delivers.
>The bad judgement I referred to was if your software, after DNSSEC
>verification, confuses yahoo.com with yahoo.com.attackersdomain.com.

I think that the problem would be somewhat ameliorated if there
were a DNS cache on the laptop itself.  It would still use DNS
servers, but if it got a different IP number for the same address,
it should notify someone.

This can happen without an attack going on, if the legitimate
addressee's DNS record changes because the IP address of that
service actually changes - but with sites like Yahoo, Paypal,
etc, they've got a lot of infrastructure and momentum there.
Those IP addresses don't change on a whim. And those are the
major targets for a DNS spoof.

			Bear



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list