{[ promptMessage ]}

Bookmark it

{[ promptMessage ]}

Today you cant https can help dnssec extension will

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: a zone •  Problem: you can’t run the name server for that domain. Why not? –  Your block is, not –  Whoever has wouldn’t be happy with you sejng their PTR records •  Solu)on: [RFC2317, Classless Delega)on] –  Install CNAME records in parent zone, e.g: addr.arpa CNAME 129.ptr.hTpserver.com DNS Security •  You go to starbucks, how does your browser find www.google.com? –  Ask local name server, obtained from DHCP –  You implicitly trust this server –  Can return any answer for google.com, including a malicious IP that poses as a man in the middle •  How can you know you are gejng correct data? –  Today, you can’t –  HTTPS can help –  DNSSEC extension will allow you to verify DNS Security 2 – Cache Poisoning •  Suppose you control evil.com. You receive a query for www.evil.com and reply: ;; QUESTION SECTION: ;www.evil.com. IN A 300 IN A ;; AUTHORITY SECTION: evil.com. 600 evil.com. 600 IN IN NS NS dns1.evil.com. google.com. ;; ADDITIONAL SECTION: google.com. IN A ;; ANSWER SECTION: www.evil.com. 5 •  Glue record pointing to your IP, not Google’s •  Gets cached! Cache Poisoning # 2 •  But how do you get a vic)m to look up evil.com? •  You might connect to their mail server and send –  HELO www.evil.com –  Which their mail server then looks up to see if it corresponds to your IP address (SPAM filtering) •  Mi)ga)on (bailiwick checking) –  Only accept glue records from the domain you asked for Cache Poisoning •  Bad guy at Starbucks, can sniff or guess the ID field the local server will use –  Not hard if DNS server generates ID numbers sequen)ally –  Can be done if you force the DNS server to look up something in you...
View Full Document

{[ snackBarMessage ]}

Ask a homework question - tutors are online