Hi, what if evil guys hack my mom ISP DNS servers and use RPZ to redirect traffic from mom_bank.com to evil.com? How can she detect this? Eduardo.- -- Eduardo A. Suarez Facultad de Ciencias Astronómicas y Geofísicas - UNLP FCAG: (0221)-4236593 int. 172/Cel: (0221)-15-4557542/Casa: (0221)-4526589 ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
You mean besides SSL? :) Ken Matlock Network Analyst Systems and Technology Service Center Sisters of Charity of Leavenworth Health System 12600 W. Colfax, Suite A-500 Lakewood, CO 80215 303-467-4671 matlockk@exempla.org -----Original Message----- From: Eduardo A. Suárez [mailto:esuarez@fcaglp.fcaglp.unlp.edu.ar] Sent: Tuesday, December 20, 2011 9:37 AM To: nanog@nanog.org Subject: what if...? Hi, what if evil guys hack my mom ISP DNS servers and use RPZ to redirect traffic from mom_bank.com to evil.com? How can she detect this? Eduardo.- -- Eduardo A. Suarez Facultad de Ciencias Astronómicas y Geofísicas - UNLP FCAG: (0221)-4236593 int. 172/Cel: (0221)-15-4557542/Casa: (0221)-4526589 ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. *** Exempla Confidentiality Notice *** The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any other dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify me immediately by replying to the message and deleting it from your computer. Thank you. *** Exempla Confidentiality Notice ***
On Tue, 20 Dec 2011 13:37:23 -0300, "Eduardo A. =?iso-8859-1?b?U3XhcmV6?=" said:
what if evil guys hack my mom ISP DNS servers and use RPZ to redirect traffic from mom_bank.com to evil.com?
How can she detect this?
The snarky answer is "If your mom has to ask how she can detect this, she's probably going to be unable to do so". The more technically correct answer is that you can check the IP and TTL as returned by your local caching nameserver, and compare them to the values reported from the authoritative NS for the zone. Of course, this means you have to hit the authoritative server, which sort of defeats the purpose of DNS caching. Or you can deploy DNSSEC. Or you can deploy SSL (not perfect, but it raises the bar considerably). Or you can google for "DNS RPZ" and start reading - the top hit seems to be Paul Vixie's announcement: https://www.isc.org/community/blog/201007/taking-back-dns-0 and start reading - as about the 4th or 5th commenter points out, the threat model is *no* different than a DNS server that forces in its own zones. The commenter is talking in the context of a provider replacing a zone, but it's the same issue if a black hat hacks in a zone.
On Tue, Dec 20, 2011 at 11:53:12AM -0500, Valdis.Kletnieks@vt.edu wrote:
On Tue, 20 Dec 2011 13:37:23 -0300, "Eduardo A. =?iso-8859-1?b?U3XhcmV6?=" said:
what if evil guys hack my mom ISP DNS servers and use RPZ to redirect traffic from mom_bank.com to evil.com?
How can she detect this?
The snarky answer is "If your mom has to ask how she can detect this, she's probably going to be unable to do so".
The more technically correct answer is that you can check the IP and TTL as returned by your local caching nameserver, and compare them to the values reported from the authoritative NS for the zone. Of course, this means you have to hit the authoritative server, which sort of defeats the purpose of DNS caching.
Or you can deploy DNSSEC.
Or you can deploy SSL (not perfect, but it raises the bar considerably).
Or you can google for "DNS RPZ" and start reading - the top hit seems to be Paul Vixie's announcement: https://www.isc.org/community/blog/201007/taking-back-dns-0 and start reading - as about the 4th or 5th commenter points out, the threat model is *no* different than a DNS server that forces in its own zones. The commenter is talking in the context of a provider replacing a zone, but it's the same issue if a black hat hacks in a zone.
the one difference is that ISC will be shipping RPZ enabled code v. the blackhat having to hack the machine and modify the configuration. in the new BIND w/ RPZ, it will be much harder to determine when RPZ has been tweeked... Lowers the bar considerably. RPZ sucks /bill
On Dec 20, 2011, at 11:37 AM, Eduardo A. Suárez wrote:
Hi,
what if evil guys hack my mom ISP DNS servers and use RPZ to redirect traffic from mom_bank.com to evil.com?
How can she detect this?
Thankfully mom_bank.com is not valid, as underscores aren't valid in dns names :) Additionally, SSL certificates combined with DNSSEC/DANE can provide some protection. Some of this technology may not be available today, but is worth tracking if you are interested in this topic. - Jared
You tell that to http://www.charset.org/punycode.php?encoded=xn--m_omaaamk.com&decode=Punycode+to+normal+text Normal text FMQQSQQT.com to Punycode xn--m_omaaamk.com ? On 20 Dec 2011, at 17:00, Jared Mauch wrote:
On Dec 20, 2011, at 11:37 AM, Eduardo A. Suárez wrote:
Hi,
what if evil guys hack my mom ISP DNS servers and use RPZ to redirect traffic from mom_bank.com to evil.com?
How can she detect this?
Thankfully mom_bank.com is not valid, as underscores aren't valid in dns names :)
Additionally, SSL certificates combined with DNSSEC/DANE can provide some protection. Some of this technology may not be available today, but is worth tracking if you are interested in this topic.
- Jared
On 12/20/11 9:14 AM, Christian de Larrinaga wrote:
You tell that to http://www.charset.org/punycode.php?encoded=xn--m_omaaamk.com&decode=Punycode+to+normal+text
Normal text FMQQSQQT.com
to Punycode xn--m_omaaamk.com
?
Dash - is a different character than underscore _ ~Seth
On Tue, Dec 20, 2011 at 11:37 AM, Eduardo A. Suárez <esuarez@fcaglp.fcaglp.unlp.edu.ar> wrote:
Hi,
what if evil guys hack my mom ISP DNS servers and use RPZ to redirect traffic from mom_bank.com to evil.com?
How can she detect this?
Does your Mom call you up every time she gets a dialog box complaining about an invalid certificate ? If she has been conditioned just to click "OK" when that happens, then she probably can't. Regards Marshall
Eduardo.-
-- Eduardo A. Suarez Facultad de Ciencias Astronómicas y Geofísicas - UNLP FCAG: (0221)-4236593 int. 172/Cel: (0221)-15-4557542/Casa: (0221)-4526589
---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
Marshall Eubanks wrote:
Does your Mom call you up every time she gets a dialog box complaining about an invalid certificate ?
If she has been conditioned just to click "OK" when that happens, then she probably can't.
Everyone I have observed clicks "ok" or "confirm exception" (if I remember the phrase correctly) as soon as possible. Sadly I think only a few security conscious (IT) people will actually think twice and reject it if they don't trust it. That to me proves this aspect ssl is somewhat flawed in that regard. But then I am preaching to the choir. :-) Regards, Jeroen -- Earthquake Magnitude: 4.9 Date: Thursday, December 22, 2011 16:41:15 UTC Location: Tarapaca, Chile Latitude: -19.5358; Longitude: -69.1219 Depth: 95.20 km
On Dec 22, 2011, at 7:04 PM, Jeroen van Aart wrote:
Marshall Eubanks wrote:
Does your Mom call you up every time she gets a dialog box complaining about an invalid certificate ? If she has been conditioned just to click "OK" when that happens, then she probably can't.
Everyone I have observed clicks "ok" or "confirm exception" (if I remember the phrase correctly) as soon as possible. Sadly I think only a few security conscious (IT) people will actually think twice and reject it if they don't trust it.
That to me proves this aspect ssl is somewhat flawed in that regard. But then I am preaching to the choir. :-)
See the definition of "dialog box" at http://www.w3.org/2006/WSC/wiki/Glossary --Steve Bellovin, https://www.cs.columbia.edu/~smb
You probably want to google for the dnschanger virus -- Sent from my smart phone. Please excuse my brevity On Dec 20, 2011 4:38 p.m., "Eduardo A. Suárez" < esuarez@fcaglp.fcaglp.unlp.edu.ar> wrote:
Hi,
what if evil guys hack my mom ISP DNS servers and use RPZ to redirect traffic from mom_bank.com to evil.com?
How can she detect this?
Eduardo.-
-- Eduardo A. Suarez Facultad de Ciencias Astronómicas y Geofísicas - UNLP FCAG: (0221)-4236593 int. 172/Cel: (0221)-15-4557542/Casa: (0221)-4526589
------------------------------**------------------------------**---- This message was sent using IMP, the Internet Messaging Program.
In message <20111220133723.cfjv8g999ssoc8gg@fcaglp.fcaglp.unlp.edu.ar>, "Eduard o A. =?iso-8859-1?b?U3XhcmV6?=" writes:
Hi,
what if evil guys hack my mom ISP DNS servers and use RPZ to redirect =20 traffic from mom_bank.com to evil.com?
How can she detect this?
The bank signs their zone and mum's machine validates the answers it gets from the ISP. This is not rocket science. This is not beyond the capabilities of even the smallest client that mom would use to talk to the bank. This is how DNSSEC was designed to be used. Validating in the resolver protects the resolver itself and the cache from pollution. It also protects non DNSSEC aware clients from upstream of the resolver threats. It was always expected that clients would validate answers themselves. Mark
Eduardo.-
--=20 Eduardo A. Suarez Facultad de Ciencias Astron=F3micas y Geof=EDsicas - UNLP FCAG: (0221)-4236593 int. 172/Cel: (0221)-15-4557542/Casa: (0221)-4526589
---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
participants (12)
-
bmanning@vacation.karoshi.com
-
Christian de Larrinaga
-
Eduardo A. Suárez
-
Jared Mauch
-
Jeroen van Aart
-
Ken Gilmour
-
Mark Andrews
-
Marshall Eubanks
-
Matlock, Kenneth L
-
Seth Mattinen
-
Steven Bellovin
-
Valdis.Kletnieks@vt.edu