what if...?

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Tue Dec 20 11:16:06 CST 2011


On Tue, Dec 20, 2011 at 11:53:12AM -0500, Valdis.Kletnieks at vt.edu wrote:
> On Tue, 20 Dec 2011 13:37:23 -0300, "Eduardo A. =?iso-8859-1?b?U3XhcmV6?=" said:
> > what if evil guys hack my mom ISP DNS servers and use RPZ to redirect
> > traffic from mom_bank.com to evil.com?
> >
> > How can she detect this?
> 
> The snarky answer is "If your mom has to ask how she can detect this, she's
> probably going to be unable to do so".
> 
> The more technically correct answer is that you can check the IP and TTL as
> returned by your local caching nameserver, and compare them to the values
> reported from the authoritative NS for the zone.  Of course, this means you
> have to hit the authoritative server, which sort of defeats the purpose of DNS
> caching.
> 
> Or you can deploy DNSSEC.
> 
> Or you can deploy SSL (not perfect, but it raises the bar considerably).
> 
> Or you can google for "DNS RPZ" and start reading - the top hit seems to be
> Paul Vixie's announcement: https://www.isc.org/community/blog/201007/taking-back-dns-0
> and start reading - as about the 4th or 5th commenter points out, the threat
> model is *no* different than a DNS server that forces in its own zones. The
> commenter is talking in the context of a provider replacing a zone, but it's the
> same issue if a black hat hacks in a zone.
> 

	the one difference is that ISC will be shipping RPZ enabled code v.
	the blackhat having to hack the machine and modify the configuration.

	in the new BIND w/ RPZ,  it will be much harder to determine when
	RPZ has been tweeked...   Lowers the bar considerably.   RPZ sucks

/bill



More information about the NANOG mailing list