Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Implicit trust in DNS servers

  1. #1
    Join Date
    Apr 2004
    Location
    East Coast of Florida - Lightening/Shark Bite Capital of the World
    Posts
    2,477

    Default Implicit trust in DNS servers



    How many people actually know which DNS server they're using? And, if they know which server they're using, how much do they trust the person or company running the server? The majority of networks are configured with dynamic host configuration protocol (DHCP). DHCP is a protocol that allows computers to broadcast a generic "configure me" message to the local network. Any server on the network can respond to the message, telling the computer which DNS server to use (among other things). This problem is two-fold: first, there is no guarantee that the response is coming from the expected server. And second, even if it comes from the proper server, what guarantee does the user have that the DNS server provided is actually valid and secure?

    http://www.symantec.com/enterprise/s...s_servers.html

    SlyFox
    "Politeness costs nothing and gains everything".

    Click here for ZA Support

    Avail. 24x7 - Excl. Holiday













  2. Default Re: Implicit trust in DNS servers

    Absolute F.U.D.
    No internet server on the web can redirect any home PC to use a different DNS server for it default lookups. It does not happen.

    DHCP - either the user has DHCP from the provider or from his nat modem or router. The DHCP server is not dictating which dns server to use.

    No provider has any interest in criminal intent when they give host lookups. If a user looks up troyan sites and goes there, it is the user's business (or fault) and not the provider's fault (that the user is an *****).

    The DNS server(s) can be locked in place in the properties of the network connections as well as the software firewall and also in the router itself. The default selection of dns servers can be locked in place.

    Your provider is very much interested in getting clients and keeping them and has no interests in any sordid dns crimes or getting criminal charges and losing their licenses.

    The mention of being secure just using https is flimsy. It is not used for most regular uses and only holds true for certain secure connections. Https still can be spoofed- even with the trusty gold lock icon.

    No where is it written that you have to use your providers DNS servers- there are alternative dns servers to use or just use another providers dns servers (if you do not like your providers dns services).

    I think the author needs to do some more research before doing these editorials.

    Oldsod

    Message Edited by Oldsod on 10-14-2007 09:47 AM
    Best regards.
    oldsod

  3. #3
    watcher Guest

    Default Re: Implicit trust in DNS servers

    To All:

    A very good article and, contrary to what Oldsod has stated, it has happened and can happen. The methods can be DNS cache poisoning which affects future lookups from that DNS server and DNS hijacking where the DNS records are illegally altered to point to a different website. Motivations for doing this vary, depending on the attacker.
    In 1997, Eugene Kashpureff inserted fraudulent info into the DNS servers, causing users going to the InterNIC website to be rerouted to his AlterNIC website, a commercial competitor. A press release of this incident is found here: http://www.usdoj.gov/criminal/cybercrime/kashpurepr.htm

    Fortunately, since that time, I believe DNS servers are more secure than what they were back then. That is not, however, a guarantee that it will never happen again. Even if you are redirected, though, there are steps to mitigate this as Oldsod had listed in his post and I concur with him that most ISPs operate within the law.

    WATCHER

  4. #4
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Implicit trust in DNS servers

    The author never mentioned DNS poisoning (which is very rare and does not usually last very long). That is off the topic.
    The biggest concern about DNS changes in the PC happens due to malware infections. Which should be automatically stopped by the antivirus, in the first place - kind of makes me wonder if the author representing an AV company should be espousing this kind of F.U.D.
    If the author espouses not to trust your reputable provider, I really wonder where he comes from. Or does he end up not doing any dns lookups becuase he lives in fear? Or does he have his own dns server (kind of far fetched for the majority, is it not?)
    Best regards.
    oldsod

  5. #5
    watcher Guest

    Default Re: Implicit trust in DNS servers

    Dear Oldsod:

    I can't argue with you there. I liked the article for its content, not how it was presented. Whether he's using the FUD(fear, uncertainty, and doubt, for forum members who didn't know what that meant)factor, I cannot say. It could certainly be argued for that, based on how he presents the information. However, poor presentation does not imply guilt.

    The author, Ron Bowes, is a Security Response Researcher for Symantec's Security Response team. The following link shows you his articles to date.

    http://www.symantec.com/enterprise/s...ron_bowes.html

    WATCHER

  6. #6
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Implicit trust in DNS servers

    Hi WATCHER

    Oh I agree with you - DNS poisoning does happen and has happened and probably will happen again. DNS Poisoning and DNS Cache Poisoning does show. It usually does seem to effect enterprise more than anything else, not the average home user.

    Most DNS servers of providers usually cache the DNS hostname listings for maybe a day or two. After that, they create new list doing new lookups. So does this mean after a day or two, if the dns server was poisoned, then the bad listings will be replaced?

    The Windows does cache some of the DNS lookups (if the DNS Cleint service is enabled). It usually stores about, what 30 or 50 host names lookups and deletes the list at shutdown? The ipconfig /flushdns command does clear the dns cache on the PC.

    Myself, I use opendns instead of my rogers dns servers. They seem to be fast and have the promise of being more secure. The dns server IP's are set in the router for the home LAN, hopefully defeating any malware attempts to changes. Plus the servers are set in the Network connections and the DNS Client is disabled (making all internet applications do their own dns lookups). The AV usually has the update servers coded in the application, so it should be safe. The Opera has allowances to enter the desired namehost lookup server, hopefully uindermining any malware attempts. The Firefox I believe has this feature in the about:config (I think it has to be manually added, but the feature is there). IE should follow the windows setup - the dns servers as entered in the network connections.

    Yes, certain malware or certain troyans if left alone and not stopped, will actually enable the dns and dhcp clients and change the windows settings to accept new dns servers, but the firewall will be stopping the unauthorized dns attempts. The Zone Alarm should prevent this from happening and the Zone Alarm does monitor the services, so the changes should be alerted and preventable.

    Cheers, Oldsod


    BTW, if I recall somewhere in the forum, you were seeking some help for fine tuning the Firefox. Look at the about:config and it's references. The googler and the updater both can be stopped and thus "quiet" down the browser to connect out. The desired remote ports for the browser connections can be entered plus the wanted dns server name. Then the unwanted ports and unwanted dns hosts are blocked off.
    Plus I think it can be enabled for Synchronous DNS Lookups.
    Opera has all of these listed by default in the opera:config

    Oldsod
    Best regards.
    oldsod

  7. #7
    watcher Guest

    Default Re: Implicit trust in DNS servers

    Dear Oldsod:

    Re your question in paragraph 2, I can only tell you what I know, which isn't much, on this subject. If a DNS query cannot be resolved by your DNS server, typically the ISP's, it passes the query up a hierarchy to a higher-authority name server, usually the ISP's carrier. There might be even higher-authority name servers above that but at the top are 13 root servers, the ultimate authorities, for all the TLDs(.com; .net, etc.). They're all database servers but distributed, so taking out 1 or more is not catastrophic to the Internet. As I understand it, root servers will contain all the naming authorities for their respective TLD. Down 1 level from that, the carrier's (probably), is where all the authoritative IP addresses are stored which update(replication) the carrier's ISP DNS servers, the next level down. The ISP caches its subset of the database during synchronization with the naming authority. When synchronization takes place or how long the records are cached are probably configurable on the DNS servers. When we studied cache servers for Web content, a company could configure when to update web pages. In that case, a site like www.yahoo.com, with its rapidly changing content, would be updated with a higher frequency then, like say, a static website. Anyway, I would imagine that the higher up this hierarchy, the more network security would be found, making an attack very unlikely. Even ISP DNS servers, at the bottom, would be difficult because, as you pointed out, they do not want to end up in the news having to explain a breach.

    As for my PC, I keep the DNS cache turned off. In XP, the same port is left open for all DNS queries unless you make a Registry edit so that it is like Windows 2000 was, closing the port after each query.

    As for using other DNS servers, that's a good idea. However, I would assume a faster DNS server would soon slowdown once everyone started using it. Depending upon their hardware capabilities, each has a certain connection limit. That's why DDoS attacks are so successful.

    I agree that having ZA on your computer would probably protect you against this as would configuration of your NICs with the DNS server IP addresses. Even if it didn't, I have other security software that probably would.

    WATCHER

  8. #8
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Implicit trust in DNS servers

    Hi WATCHER

    I found some extra here, here and here. Fairly detailed. Some basic info is here.

    Using opendns since last December and have been pleased so far. They have been adding new servers and expanding the capacity - still faster than rogers.
    True, the DDoS attacks are worrisome for dns servers.
    Cheers, Oldsod
    Best regards.
    oldsod

  9. #9
    unojack Guest

    Default Re: Implicit trust in DNS servers

    Hi Guru Oldsod,

    I find your post very interesting and therefore gone to the OpenDNS site, which gave me DNS Servers to use. I have found that it has already helped my speed to connecting on to other sites and i would like to thank you for taking the time in making this post, so others will benefit by it. At the OpenDNS site, they have an option if anyone is interested, by opening a Free account with additional benefits. Did you take advantage of this option, if you don't mind me asking? And if you did, what other benefits does the OpenDNS site have to offer for FREE? In other words would it be a good idea to open the Free account with additional Free benefits, or just use the basic OpenDNS Server addresses, without the Free account? Sorry to be so confusing, as perhaps other maybe interested also. I have been following you around on this forum, i must say you know your computer/security information quite well, as does many of the other Guru's and Senior Contributors.

    Sorry to make this so long.

    Thank you Guru Oldsod and have a nice day.

    UnoJack

  10. #10
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Implicit trust in DNS servers

    Hi UnoJack

    I never used the account or it's benefits.
    But there is some customizations allowed with the account for filtering certain web content (some ads, pronographic or adult site content, certain unwanted sites, etc) that would definitely benefit families or businesses. This will prevent connections to the sites and maybe help give the parents some additionally protection/security from stopping unwanted content. If you are concerned about bad web content, then having your dns lookups customized is a definite plus and should be pursued.

    As for the phishing filter they use, I have seen it kick in a few times- along with some sites "bad" blocked off (good things to happen in both cases). That is something my provider never did.

    Cheers, Oldsod
    Best regards.
    oldsod

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •