BIND update?

Mark Andrews Mark_Andrews at isc.org
Thu Jul 10 07:02:39 UTC 2008 

> Jason Stone wrote:
> 
> > So you say, "But I don't send important information over that 
> > connection, nor do I trust the information I get back?"  Maybe.  I think 
> > that the AOL data leak fiasco proved that, while people don't generally 
> > think of search queries as sensitive, they really kind of are.  And you 
> > almost certainly place _some_ trust in the results you get back; I mean, 
> > you're not reading them purely as fiction.
> 
> I validate such unauthenticated information at the human layer. Have to -- 
> even when nobody has tampered with DNS, BGP, or HTTP, the stuff at 
> nytimes.com and wikipedia.org is still often false.
> 
> > So, if your DNS resolver is vulnerable to cache poisoning, then every 
> > time you casually surf the web, you're allowing for the possibility that 
> > you will get spoofed, surf to some malware site, get served a browser 
> > exploit, and get 0wned.
> 
> That is already true, and is true regardless of the "security" of the DNS.
> 
> Think hard on why this is possible:
> 
> http://ex-parrot.com/~pete/upside-down-ternet.html
> 
> :)
> 
> Similarly, why does YouTube disappear whenever Pervez Musharraf gets cranky?
> 
> > I agree that DNSSEC is the real solution.
> 
> It won't, and can't, solve *any* of the problems you cited. Any attacker 
> than can mangle my DNS traffic (and cache poisoning is hardly the only way 
> to do that) can also just read and alter *any* non-secure-by-design 
> plaintext network traffic.

	DNSSEC won't stop all attacks.  It does however stop some
	attack vectors.  Others, like the man in the middle attack
	above, it won't stop.

> > I also think that making it easy (or even possible) to sandbox the
> > browsers is a real solution. I think that using strong crypto everywhere
> > and making fine-grained capabilities and MAC systems ubiquitous is also a
> > real solution.
> 
> Okay, I know when I'm being trolled. :) I'll stop posting now. It's bed time 
> anyway.
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the freebsd-security mailing list