DNS cache poisoning attacks -- are they real?

• Previous message (by thread): DNS cache poisoning attacks -- are they real?
• Next message (by thread): DNS cache poisoning attacks -- are they real?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Le 26 mars 2005, à 17:52, Sean Donelan a écrit :

> You forgot the most important requirement, you have to be using
> insecure, unpatched DNS code (old versions of BIND, old versions of
> Windows, etc). If you use modern DNS code and which only follows
> trustworthy pointers from the root down, you won't get hooked by
> this.

The obvious rejoinder to this is that there are no trustworthy pointers 
from the root down (and no way to tell if the root you are talking to 
contains genuine data) unless all the zones from the root down are 
signed with signatures you can verify and there's a chain of trust to 
accompany each delegation.

If you don't have cryptographic signatures in the mix somewhere, it all 
boils down to trusting IP addresses.


Joe

• Previous message (by thread): DNS cache poisoning attacks -- are they real?
• Next message (by thread): DNS cache poisoning attacks -- are they real?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]