NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Securing DNS traffic
On Fri, 22 May 2020 22:38:19 +0100
Sad Clouds <cryintothebluesky%gmail.com@localhost> wrote:
> It seems there are two main security enhancements for DNS:
>
> 1. DNSSEC - digital signatures for DNS records to verify they haven't
> been tampered with.
>
> 2. DNS over TLS - encryption of DNS traffic for privacy. This goes via
> port 853 and could be over TCP or UDP (DTLS), although it's not clear
> to me if both TCP and UDP are always supported, of if it's mainly TCP.
I've been doing some more research and came across this article on DNS
hijacking
https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html
Some of the techniques they describe seem to follow these steps:
1. DNS account is compromised and either A or NS records are changed to
point to a bogus server.
2. User connects to "email.mydomain.com" which is sent to a bogus
server that acts as a "man in the middle", collecting credentials
and then forwarding everything to the real "email.mydomain.com"
I think TLS was designed to avoid "main in the middle" attacks, but it
seems in this case a bogus server is using its own "valid" TLS
certificate and then proxying connections to the real server.
I don't quite understand how this works. Is it the case of somebody
creating a second valid TLS certificate for "email.mydomain.com" in
order to masquerade as a genuine email server? So if different CAs can
issue such certificates, how do you mitigate such attacks? Isn't this a
flaw in the PKI design to have different CAs that can vouch for the same
domain?
Under the "Prevention Tactics" the article talks about "revoking
malicious certificates", but what tools/methods are there to tell you
which certificates are malicious?
Home |
Main Index |
Thread Index |
Old Index