[dnssec-deployment] AP: "Use of Rogue DNS servers on rise"
Otmar Lendl
ol at bofh.priv.at
Mon Feb 18 09:44:54 EST 2008
On 2008/02/16 01:02, Phil Regnauld <regnauld+dnssec at catpipe.net> wrote:
>
> http://ap.google.com/article/ALeqM5ifrgeDBfUGAvXtLH_vgVrKcm0s_wD8UPLR8O1
[...]
> People
> usually automatically use the DNS servers of their Internet providers,
> but the recent wave of attacks modify the settings on victims'
> computers to send traffic to rogue DNS servers.
I'm wondering what DNSSEC can help.
If the client PC doesn't do DNSSEC, and uses tsig to a trusted resolver
then a simple change of the IP address in the resolv.conf (or
equivalent) will be noticed.
The malware can work around that by either disabling the tsig protection
or changing the stored key. The user won't notice this.
If the client PC does do the full DNSSEC processing itself, then the
malware needs to manipulate the stored trust anchors to break the
system once again.
As I see it: DNSSEC could help you against attackers who manipulate
foreign servers or data in transit, but once you can't trust your own
computer, you're lost nevertheless.
Current malware already routinely disables anti-virus software. The
change to also disable DNSSEC settings seems rather trivial.
Or do I view this too pessimistic once again?
/ol
--
-=- Otmar Lendl -- ol at bofh.priv.at -=-
More information about the Dnssec-deployment
mailing list