Re: DNS security and spoofing (Re: [cobalt-security] Anyone else get this error?)

["E.B. Dreger" <eddy+public+spam@xxxxxxxxxxxxxxxxx>]

EC> Date: 30 Dec 2002 14:33:33 +0300
EC> From: Eugene Crosser


EC> I can suggest something like this:

Cool.  The root zone's presence also is a nice touch... one can
AXFR it from some of the roots, but downloading a compressed file
with PGP signature is much better.  Thanks.  (Last time I checked
ftp.rs.internic.net, I'm virtually positive they lacked the PGP
signatures.  It's admittedly been a few years, though.)

The irony of what you suggest is that it requires DNS lookups for
the PGP keyserver and the FTP site -- a chance for spoofing.  Of
course, one would need to subvert the lookups _and_ have a phony
key that looked authentic, which complicates things a bit.

A general note I should have posted earlier:

The simplest chance to inject a malicious DNS response is if one
is on the same ethernet segment as the requestor.  Sniff DNS
traffic, generate a legitimate-looking response (proper port, DNS
query ID, etc.) and send it before the real one can arrive.
Brute-force attacks also are easier when one has LAN bandwidth.

One more reason to let your resolvers live on their own VLAN
segment(s) and to prevent anyone from spoofing them...


Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 (785) 865-5885 Lawrence and [inter]national
Phone: +1 (316) 794-8922 Wichita

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.
Do NOT send mail to <blacklist@xxxxxxxxx>, or you are likely to
be blocked.