A Deep Dive on the Recent Widespread DNS Hijacking

Paul Ebersman list-nanog2 at dragon.net
Tue Feb 26 01:23:44 UTC 2019

ebersman> Yup. This is a good example of what I'm advocating. Just
ebersman> saying "use 2FA" or "use DNSSEC" or "have a CAA" isn't
ebersman> sufficient detail to make informed decisions of
ebersman> risk/effort/reward tradeoffs. Simplistic suggestions without
ebersman> details or context isn't doing anyone any favors.

ebersman> That said, even SMS 2FA is better than no 2FA. Barely. Just
ebersman> like forcing lousy passwords is better than no password but
ebersman> still not a best practice.

valdis> Feel free to suggest a workable 2FA.  Personally, I use a
valdis> Yubikey where I can.  Oath seems to be a reasonable approach for
valdis> technically minded people, but I'm not sure that it scales well
valdis> to the people who own the long tail domains in the 40 million
valdis> .coms.  I can get oathtool to behave the way I want, but I'm not
valdis> sure the owner of joes-bait-tackle-and-gunshop.com will be able
valdis> to deal with it.

Agreed. But this also gets down to the risk vs hassle tradeoff. Joe's
Bait & Tackle Shop probably isn't getting attacked by nation states who
can hack SS7, so SMS text might be good enough. And certainly better
than just an 8 char plain text password.

Risk/attack surface is part of that context I mention. Folks in
sensitive jobs will need better protection and hopefully be more capable
of using less "user friendly" tech. Folks protecting less and with less
geek background should still have some protection but it doesn't need to
be nearly as fancy.

More information about the NANOG mailing list