DNS Attacks
Les Mikesell
lesmikesell at gmail.com
Fri Jul 25 18:40:49 UTC 2008
James Kosin wrote:
>>
>> If you are really paranoid (or about to do large transactions on what
>> you hope is your banking site), you could do a 'whois' lookup for the
>> target domain to find their own name servers and send a query directly
>> there for the target site.
>>
>>> The best approach, would probably be a system to allow you to poll a
>>> few DNS
>>> servers, and to take the returned ip address that comes back from the
>>> most
>>> of them as the "correct" ip address!! but this isn't implemented
>>> anywhere as
>>> far as i know....
>>
>> dig @dns_server target_name
>> will send a query to a specified DNS resolver. Most public-facing
>> servers will only resolve the names of their own zones, especially
>> now. I think the current vulnerability only involves cached addresses
>> for which the server is not primary or secondary.
>>
> BUT, here is the really BAD news:
> a) 99.9% of the internet is really a cached service. The only true DNS
> entries are on the name servers that originated the DNS entry. This is
> why when you put up a new domain they suggest waiting about 3-4 days for
> the internet to propagate the DNS names. The information trickles down
> the DNS servers until everyone has the corrected information or update.
The only real delay when adding something new is getting the registered
servers for a domain into the root servers. These should be the ones
listed in the whois lookup. There is a time-to-live associated with the
addresses, so existing names may linger with the wrong addresses, though.
> b) If the DNS is corrupted you can't rely on the DNS resolver to be
> pointing to the correct IP.!! You could be digging on the phishing site
> and they would be reporting false and bad information to you so they can
> scam you of your passwords and/or money.
They'd have to spoof several things at once to keep it from being
obvious but you are right, the whois result will give names that you
have to look up somehow.
--
Les Mikesell
lesmikesell at gmail.com
More information about the fedora-list
mailing list