DNS cache poisoning attacks -- are they real?

• Previous message (by thread): DNS cache poisoning attacks -- are they real?
• Next message (by thread): DNS cache poisoning attacks -- are they real?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Alex Bligh:

> --On 26 March 2005 23:23 +0100 Florian Weimer <fw at deneb.enyo.de> wrote:
>
>> Should we monitor for evidence of hijacks (unofficial NS and SOA
>> records are good indicators)?  Should we actively scan for
>> authoritative name servers which return unofficial data?
>
> And what if you find them?

If leaking unofficial data were considered a capital offense (in
Internet terms), many ISPs would take action.  Apparently, it's not,
so detection is pretty much pointless.

> The only way you are going to prevent packet level (as opposed to
> organization level) DNS hijack is get DNSSEC deployed.

DNS cache poisoning (at least in the form which prompted me to start
this thread) is a quality-of-implementation issue.  DNSSEC will not
magically increase code quality (but it will definitely increase
complexity), that's why I don't share the enthusiasm of the DNSSEC
crowed. 8->

• Previous message (by thread): DNS cache poisoning attacks -- are they real?
• Next message (by thread): DNS cache poisoning attacks -- are they real?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]