Today you cant https can help dnssec extension will

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: a zone •  Problem: you can’t run the name server for that domain. Why not? –  Your block is, not –  Whoever has wouldn’t be happy with you sejng their PTR records •  Solu)on: [RFC2317, Classless Delega)on] –  Install CNAME records in parent zone, e.g: CNAME DNS Security •  You go to starbucks, how does your browser find –  Ask local name server, obtained from DHCP –  You implicitly trust this server –  Can return any answer for, including a malicious IP that poses as a man in the middle •  How can you know you are gejng correct data? –  Today, you can’t –  HTTPS can help –  DNSSEC extension will allow you to verify DNS Security 2 – Cache Poisoning •  Suppose you control You receive a query for and reply: ;; QUESTION SECTION: ; IN A 300 IN A ;; AUTHORITY SECTION: 600 600 IN IN NS NS ;; ADDITIONAL SECTION: IN A ;; ANSWER SECTION: 5 •  Glue record pointing to your IP, not Google’s •  Gets cached! Cache Poisoning # 2 •  But how do you get a vic)m to look up •  You might connect to their mail server and send –  HELO –  Which their mail server then looks up to see if it corresponds to your IP address (SPAM filtering) •  Mi)ga)on (bailiwick checking) –  Only accept glue records from the domain you asked for Cache Poisoning •  Bad guy at Starbucks, can sniff or guess the ID field the local server will use –  Not hard if DNS server generates ID numbers sequen)ally –  Can be done if you force the DNS server to look up something in you...
View Full Document

This note was uploaded on 01/27/2014 for the course COSC 4377 taught by Professor Staff during the Spring '08 term at University of Houston.

Ask a homework question - tutors are online