1. 14
  1.  

    1. 7

      This attack would be history once and for ever if DNSSEC was widely deployed… sigh…

      1. 2

        Forgive me if I sound ignorant, but how does one ensure DNSSEC and a BIND-RPZ co-exist? RPZs are widely used to return NXDOMAIN to any DNS lookup for ad/tracking networks on a lot of private/VPN networks.

        1. 1

          In this case, the recursive resolver could resolve domains and check their DNSSEC signature. But you could connect to your recursive resolver using DNS over TLS and remove the DNSSEC signatures, which is supported by systemd-resolved.

          If it’s unclear, here is an example how it would work:

          • Your DNS resolver on your local machine is set to 192.0.2.1#noads.dns.example.com.
          • You go to example.com in Firefox.
          • Firefox queries (through systemd-resolved but this is a detail) 192.0.2.1 over TLS: What is the IP for ‘example.com’?
          • 192.0.2.1 asks b.gtld-servers.net.: What is the name server and the DNSSEC keys for ‘example.com’?
          • b.gtld-servers.net. says it’s b.iana-servers.net. and the DNSSEC key is “f00bar”.
          • 192.0.2.1 asks b.iana-servers.net.: What is the IP for ‘example.com’?
          • b.iana-servers.net. answers 93.184.216.34, and the signature is “quux”.
          • 192.0.2.1 checks that sign("93.184.216.34", "f00bar") is “quux”.
          • 192.0.2.1 answers to Firefox “The IP is 93.184.216.34” over TLS and removes the DNSSEC information.

          If the domain is blocked, 192.0.2.1 replies NXDOMAIN right away.

      2. 6

        url: dan-kaminskys-dns-cache-poisoning-attack-is-back-from-the-dead-again

        title: Linux has a serious security problem that once again enables DNS cache poisoning

        I wonder if someone got back to whoever originally worded it and said “hey, maybe using that phrase when mentioning a relatively recently deceased person is bad form”.

        1. 4

          This is a fair point: I know Ars also regularly A/B test headlines so it’s also possible this is the title in their CMS but that headline never officially made the cut. Potentially worth pointing out to editorial staff in the comments?