What is Digg?63 Comments
- sockpuppets, on 12/13/2007, -1/+19This is slashdot, right?
- inactive, on 12/13/2007, -0/+15I call BS. I read security articles about this nonsense all the time and in almost every case it is based on a proof of concept and not reality. Yes, it is possible to poison an open recursive server. Yes, I see people trying to poison my servers from time to time. but...
1) The server then has to be used by someone internal to that network that is using it for their recursive entries. People will not be hitting that DNS server from the outside for the authoritative requests, nor will they be using it as recursive. Most companies have internal and external DNS servers. The servers in your corporate network on not likely forwarding recursive requests to your perimeter DNS servers for anything non-authoritative.
2) The person inside the network containing the screwy DNS config must request the poisoned entry to be attacked.
3) Most DNS servers, even the ones without ACL's on recursive lookups, will eventually expire the garbage entries.
4) Most perimeter DNS servers are used for serving up authoritative zones. See #1. This attack will not work against those zones unless this is an unpatched Microsoft DNS server. It is extremely rare for a perimeter server to be running MS.
5) Very few people run Microsoft DNS servers on their external network and if they do, then it is their own fault for doing such a crazy thing. Don't bother flaming me on this, as hopefully you know this is a very bad idea. It is easy to export your zones from MS into a bind config. Now where I could see a problem is if rogue infected machines in a corporate network are corrupting the cache in the AD/Microsoft corporate name servers. This is not a matter of the server being recursive, but a matter of the server not being patched. There has been a patch out for quite some time and even a work around to nullify that bug. To say that internal DNS servers should not allow recursive would be lame. (No pun intended) - OKeric, on 05/12/2008, -3/+18I guess the safest way to browse the web is to use the site's IP address.
- thailand1972, on 12/13/2007, -0/+12I see your "some" and raise you "99%"
- theNazz, on 12/13/2007, -1/+13They're dumping poisons to force the surfers to go somewhere else so they can fish?
That's so evil... - nitsnipe, on 12/13/2007, -0/+10God damn it, it's been ages since I used to "browse the net" through a UNIX system. I'd hate having to scrible IP adresses all over my desk ALL OVER AGAIN.
Which way are we moving, forwards? backwards? or stuck in a loop? - inactive, on 12/13/2007, -0/+8As a prank, I say we start an official project to make a master hosts file for the entire internet.
- Anub1s, on 12/13/2007, -0/+8Is that what a loop does? Wow, had no idea...
- drakia, on 12/13/2007, -0/+6Problem, some IP's host multiple websites...
- tybris, on 12/13/2007, -0/+6I'd tell you to RTFA, but the article is so crappy that that wouldn't help, you would have to read the PCWorld article. They are using Windows exploits to change the DNS server you use. OpenDNS wouldn't help.
- manitoba98xp, on 12/13/2007, -0/+5Using OpenDNS won't defend you, because the attack isn't on the DNS servers themselves. In this attack, malware changes your DNS server settings, so it would switch you off OpenDNS.
- Stalks, on 12/13/2007, -0/+5Unfortunately most web servers use the HTTP HOST attribute to pick the correct site, which makes it inconvenient, as you would need to create your own dns or hosts-file entry.
- XStatic, on 12/13/2007, -4/+9Yet another reason to use OpenDNS
http://www.opendns.com
"Using OpenDNS reduces the possibility of pharming and cache poisoning attacks, due to its unique handling of DNS requests and multiple levels of validation applied to all DNS queries. OpenDNS users are not only protected from cache poisoning attacks, but many other significant Internet attacks as well. " - dvsbastard, on 12/13/2007, -2/+6That isn't so troubling provided these sites use secure connections. Correct me if I am wrong but if the domain and IP don't match the certificate, then the user will be informed that it is invalid...
Now, if after that you are still willing to continue providing your personal banking details then odds are you are going to lose your money to another scam one way or another... - inactive, on 12/13/2007, -1/+5DNS and the cert have to match. It has nothing to do with the IP address. To perform this attack against a site using SSL, you would have to steal their private and public keys, or perform a man-in-the-middle attack which can be performed against SSL, but it is quite difficult for most people to do because of the physical access requirements. Google "ettercap". :-)
- MacSuxWindozSux, on 12/13/2007, -0/+4Assuming you HAD to do this, you could just make bookmarks of all your favorite sites, using IP addresses, and then just use the buttons.
- ScottyMcBaggs, on 12/13/2007, -0/+4WTF? how is DNS poisoning 'new'? Buried.
- ioral, on 12/13/2007, -0/+3that's what the x coordinate of a loop projected in a plane does.
/you meant cosine, right, minitrollster? - inactive, on 12/13/2007, -1/+4I guess Firewall programs need to keep a DNS cache of past domains request and compare it with new DNS information that was requested. And DNS servers need to secure and monitor themselves more.
- inactive, on 12/13/2007, -0/+3They are probably refering to the "high assurance" green bar in MSIE7, unless I am giving them too much credit. That refers to the extra certificates that are used to validate the true origin of the site and not just the encryption and CA. If that is what they were refering to, then it does actually have something to do with this, but indirectly. If someone poisons DNS and you visit a site that is expected to have that cert, then the bar will turn red. This of course is yet another scam cooked up by Microsoft, Network Solutions, and a few other big companies that found a way to make you pay more for SSL certs. Many companies will get suckered into buying this crap. Oh, and there is a plugin for FireFox to perform this check as well and turn the bar green.
- case42tlc, on 12/13/2007, -2/+5Various kinds of malware have been growing exponentially for the last several years. There is no technical solution, and this has the potential to render the web unusable. The only solution I can see is the imposition of unjust, unreasonable prison terms, I'm talking life without parole for a first offense, for anyone who creates and distributes any kind of malware.
- Ladadadada, on 12/13/2007, -0/+3The original article from PC World doesn't even mention poisoning at all. (Although it does say "DNS servers, which are used to tell computers how to find each other on the Internet by translating domain names like google.com into numerical Internet Protocol addresses." which is really somewhat out of place in a security related article. If you don't know that bit already then the rest of the article isn't going to make any sense.)
A succinct summary of the entire article would be: Hackers are running malicious DNS servers and change your network settings to use them once they get a trojan on your machine.
It's not really even an attack vector. It's simply a way of further attacking people who have already had their machines compromised once. - JimV, on 12/13/2007, -1/+4I use OpenDNS. I wonder if they're affected? They seem to be quite a bit better than the average DNS server.
- FunkyPits, on 12/13/2007, -1/+4Did you read the article or was this just you jumping at the chance to look like an asshat?
- antdude, on 12/13/2007, -0/+2And how big will that file be? :P
I can't even use hphost's file in Windows XP without it being hogging my system down. :( Spybot's hosts are fine though. - jacquesm, on 12/13/2007, -1/+3they already do, and I wished they didn't.
- drakia, on 12/13/2007, -0/+2I think that's called oscillation...
- GfunkGbuss, on 12/13/2007, -0/+2And here I thought that was illegal in 47 states.
- kalkin, on 12/13/2007, -0/+2nice idea. although assuming your dns servers are bad wouldn't reverse dns still take you to the malicious site.
- OwdenBowden, on 12/13/2007, -0/+2I can see it now. For books goto http://207.171.166.102 (formerly known as Amazon.com)
- jellygraph, on 12/13/2007, -0/+2in each others butts.... forever...
- inactive, on 12/13/2007, -0/+1You would have to be an ***** Windows OS PC 2000 or earlier user, Unix as well to fall into this trap. Most of us savvy enough can and have been successfully avoiding this age old miner's dive. This is only going to effect the user who barely knows how to turn their PC's on.
Educate yourselves or die. - inactive, on 12/13/2007, -0/+1You mean links, lynx, curl and wget.
- HentaiJeff, on 12/13/2007, -0/+1tell that to comcast and time warner
- xram12, on 12/13/2007, -1/+2I say we shoot the bastards
- forgiste, on 12/13/2007, -1/+2If only Google ruled the internet.
- tylerszabo, on 12/13/2007, -0/+1This adds another reason that sites should be cryptographically signed, and even better: certified by an authority. (Remember to save all certificates that you confirm are genuine, don't want a man-in-the-middle attack to creep up on you ;) ).
- inactive, on 12/13/2007, -0/+1That would be easy to detect and block in corporate networks. Block all outbound DNS requests from anything that isn't an approved DNS server. The same model can be reproduced in a home, though most non technical people wont bother. DNS requests at my home have to go through my caching name server. I block all traffic unless it passes through the caching name server and http proxy. It isn't bullet proof, but helps protect any guests that I have plug into my network.
- Ladadadada, on 12/13/2007, -0/+1WTF ? This has about as much to do with Windows as I do.
This is an article about using rogue DNS servers to direct traffic at your malicious servers. An existing trojan changes your network settings to use the malicious DNS servers.
What makes you think this has anything to do with Windows and nothing to do with DNS ?
Of course, you were right about it being a poorly written article. - kd1s, on 12/13/2007, -0/+1So basically we're going to have to roll with authenticated DNS queies. This all results from the hierarchical nature of DNS. So you get your first lookup from your ISP. Ultimately the blame for this falls to ICANN.
- manitoba98xp, on 12/13/2007, -0/+1I imagine you mean using telnet (or a similar tool) to connect directly to port 80, so you can issue the HTTP commands (and the corresponding Host header, of course).
- MacSuxWindozSux, on 12/13/2007, -0/+1I just dugg you up and I didn't mean to.
Reason Being:
DNS takes the name of the website and gets the IP address so you can connect.
Why on earth would you need a reverse dns? You don't.
It's like me needing to phone you. Where normally I look your name up in the Phone book to get your number, I don't need your real name if I just have your number in the first place. - WilliamDavis, on 12/13/2007, -0/+1If you rely on Digg for traffic, everything is "New." Uh, or "Breaking:"
- DrStrabismus, on 12/13/2007, -0/+1evil and aquatic
- JimV, on 12/15/2007, -0/+1Ah, I only read about half of the article and it sounded like they were hijacking DNS servers.
- Error601, on 12/13/2007, -0/+1This is pretty much the ultimate of "not new".
- kalkin, on 12/14/2007, -0/+1i understand you trying to apply logic to it but the bottom line is reverse lookup is an in-built feature of dns. sorry if that doesn't sit well with you - this is just the way it is.
- kalkin, on 12/13/2007, -0/+1i agree with the first 5 words of your comment. it was poorly written. i mean does it affect machines behind a nat router? does it attack the router or the host? there were no details only scare-mongering.
- michaelzhao, on 12/13/2007, -1/+1hmm... shouldnt you be studying for your final today instead of being on digg?
oh yeah...nvm... *closes digg* - CaffeinePowered, on 12/13/2007, -1/+1Why bother phishing when you can just redirect people to 2girls1cup ;)
-
Show 51 - 62 of 62 discussions
The Digg Toolbar for Firefox lets you Digg, submit content, and keep track of Digg even when you're not on the Digg site. Download the official 
© Digg Inc. 2009
— Content created and posted by Digg users is