DNS Attacks

Björn Persson listor3.rombobeorn at tdcpost.se
Fri Jul 25 18:13:10 UTC 2008

Les Mikesell wrote:
> If you are really paranoid (or about to do large transactions on what
> you hope is your banking site), you could do a 'whois' lookup for the
> target domain to find their own name servers and send a query directly
> there for the target site.

Check that the domain name in the address bar is right, that you're using 
HTTPS, and that the bank's certificate has been verified correctly. Then 
you're safe, unless the attacker has *also* managed to trick one of the 
certification authorities into issuing a false certificate, or somehow 
sneaked a false CA certificate into your browser.

Similarly for other protocols: Use TLS if the server's identity matters. This 
is what TLS is for. (Well, one of its two purposes.)

Björn Persson

More information about the fedora-list mailing list