Re: DNS cache poisoning - Wake up everyone!

In article <1il8i9l.mcjmrk1k02di4N%usenet@xxxxxxxxxxxxxxxxxxxxxxxxxxx>,
James Taylor <usenet@xxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Elliott Roper <nospam@xxxxxxxxx> wrote:

There is not much payoff in launching a 10,000 sub-domain per second
attack against a lonely client Mac cowering behind a NAT router.

That's not the attack you need to be worrying about. It's the prospect
of your ISP's DNS resolver being poisoned that should be keeping you
awake at night.
Absolutely. That was the point I was trying to make. Ever so poorly.

Beating up the router would be marginally more productive, but wait,
they don't do recursive DNS do they? Mine just uses the DNS server the
ISP gives it.

Correct. You don't need to worry about your home router trying to be a
DNS resolver. However, you do need to worry about NAT routers in an
organisation that runs its own DNS resolvers behind a NAT because, even
if the resolver uses properly randomised UDP source ports, the NAT may
unrandomise them leaving it possible to exploit the predictability of
port numbering on the outside of the NAT. A company I consult for is
having exactly this problem, and there isn't yet a firmware update for
their Fortinet routers.

I think I have something similar with the village wireless mesh network
I use (and help look after)

Apple was more or less correct in concentrating on their servers.

Yes, caching resolvers are the major threat because they affect everyone
that uses them. However, if Apple take our security seriously at all,
they should fix the TCP/IP stack once and for all so that all
applications are protected, not just BIND.
Indeed. Perhaps they are working on the encrypted DNS flavour? But does
that not require the whole infrastructure to adopt it?
They coulda shoulda done both in sequence.

It would have been nice if there were a fix for the small number of OS
X client machines with public addresses that were also doing DNS
recursion/ cacheing. But I ain't gonna sweat it.

It's not just public facing machines that are vulnerable to DNS
spoofing. It would be possible to launch this attack from a web page and
penetrate a NAT firewall. However, it probably easier for the hacker to
go directly for the phish, or malware installation.

Yep. After all, from a social engineering point of view, this attack is
a phish with muscles.

--
To de-mung my e-mail address:- fsnospam$elliott$$
PGP Fingerprint: 1A96 3CF7 637F 896B C810 E199 7E5C A9E4 8E59 E248
.

Relevant Pages

  • Re: DNS cache poisoning - Wake up everyone!
    ... attack against a lonely client Mac cowering behind a NAT router. ... of your ISP's DNS resolver being poisoned that should be keeping you ... they don't do recursive DNS do they? ...
    (uk.comp.sys.mac)
  • Re: firewall needed?
    ... It's difficult but not impossible to attack a NAT router. ... ocx, vbx, etc, etc to access the Internet. ...
    (comp.security.firewalls)
  • Re: AD/DNS with NAT
    ... Datacenters host servers as Domain Controllers AD2003, DNS, Exchange ... sites with the Net ID they use and how they are connected (VPN, ... every small offices to use NAT in order to keep the private IP range ... Forget Firewalls and forget NAT. ...
    (microsoft.public.windows.server.networking)
  • Re: SBS self hosting DNS setup
    ... by stating I created a a new FW LUP zone for mycomp.com for external ... www etc entries at the public DNS provider to point ... NAT doesn't work that way, ... Is there a preferred Microsoft way to set this up? ...
    (microsoft.public.windows.server.dns)
  • Re: newbie lost in trying to setup NAT
    ... The settings in 2003 NAT are slightly different from 2000. ... Internet" button set, and the "enable NAT on this interface" and the "enable ... that sounds correct for the DNS forwarding. ... be able to resolve both local and Internet names from this server. ...
    (microsoft.public.windows.server.networking)