Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 29

Thread: A new threat?

  1. #11
    Join Date
    Mar 2011
    Beans
    671

    Re: A new threat?

    Quote Originally Posted by jsvidyad View Post
    Any suggestions for how to set up dnscrypt in kubuntu 10.04 and ubuntu 12.04?
    https://insanitybit.wordpress.com/20...2-04-system-8/

    I wrote that a while back. It may still be relevant if they haven't changed anything.

  2. #12
    Join Date
    Jul 2005
    Beans
    412

    Re: A new threat?

    From what I've seen so far, there seems to be issues in getting DNScrypt to work with ubuntu. Do you think it is actually necessary to adopt DNScrypt at all. Will it be enough if I specify trusted DNS servers on my computer itself instead of relying on my router or my ISP to specify the DNS servers? If I specify DNS servers on my computer, can an attacker still redirect my DNS traffic/requests to a malicious DNS server other than the DNS servers specified on my computer? Aren't the DNS server IP addresses specified in the packets sent out by my computer? So, how can such a re-direction take place?

    The website I gave in my initial post talks about the ISP re-directing traffic even with a different DNS server(other than the ISP provided DNS servers) specified on the router. Can an attacker do the same with the DNS servers specified on the computer itself?

  3. #13
    Join Date
    May 2011
    Beans
    159
    Distro
    Xubuntu

    Re: A new threat?

    DNS Poisoning, and you don't have to hack any routers

  4. #14
    Join Date
    Jul 2005
    Beans
    412

    Re: A new threat?

    That's interesting. But, you still haven't answered the question I asked in the post above yours.

  5. #15
    Join Date
    Jun 2012
    Beans
    301

    Re: A new threat?

    over time i have reflected on DNS spoofing as well as the Man in the Middle attack. Both of these are designed to re-direct your computer to a Bad Place

    IMHO these attacks are facilitated by our incomplete handling of the keys used in x.509 certificates: we really do not take the trouble to validate even the high level CA that we trust to sign certificates for all the various web sites that are out there

    here's my view of this issue:


    To really understand this you will need to understand the Trust Model that is used with Public Key Encryption:

    the "gist" of it is simple: nothing is trusted until I have performed Due Diligence and validated whatever key(s) I need to trust.

    For starters I would need to find the "fingerprint" for (e.g.) VeriSign's key. Then I would check their x.509 certificate and when I had veriifed their fingerprint I would sign therir certificate and set the Trust level to approve them to sign for other certificates.

    Having done this, if a hacker tries to present a web page that appears to be validated by VeriSign -- by just making it look good -- that page will appear with an UNTRUSTED signature .... and the detection requirement for security is effected.

    Sadly all of the above is "too much to trouble the customer with" at least in the view of the marketing people

    of course the Governor of South Carolina may now be a bit more interested in this sort of thing...

    in all fairness I should note that your x.509 certificates are delivered to your system by your browser OEM. They should be OK.
    Last edited by mike acker; November 24th, 2012 at 03:07 PM. Reason: typing

  6. #16
    Join Date
    Nov 2009
    Beans
    919
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: A new threat?

    Quote Originally Posted by jsvidyad View Post
    The website I gave in my initial post talks about the ISP re-directing traffic even with a different DNS server(other than the ISP provided DNS servers) specified on the router. Can an attacker do the same with the DNS servers specified on the computer itself?
    These are basically 2 different things if the ISPs are doing what I suspect. In the case of ISP redirections, even if you use alternative DNS, you are still sending requests and receiving responses over the ISP's infrastructure, so if the traffic is in the clear and you request a domain that doesn't exist, the ISP can intercept the NXDOMAIN response and serve the page with the ads on it anyway. That, I believe, is why something like DNSCrypt has been proposed as a solution. In this case the ISP is not changing the user's DNS server settings, they're just running a MiTM on the network traffic.

    If someone can get sufficient access to change DNS settings locally on your computer, they can also do anything else they want to with it, at least there on the local system. They probably won't be intercepting and manipulating network traffic, though.

    So the difference is, the ISP can do it because they own the network infrastructure, but the attacker only owns your computer itself.

  7. #17
    Join Date
    Jul 2005
    Beans
    412

    Re: A new threat?

    Hello, can someone please reply to the question I asked in my earlier post. I am giving that post below for your reference:

    From what I've seen so far, there seems to be issues in getting DNScrypt to work with ubuntu. Do you think it is actually necessary to adopt DNScrypt at all. Will it be enough if I specify trusted DNS servers on my computer itself instead of relying on my router or my ISP to specify the DNS servers? If I specify DNS servers on my computer, can an attacker still redirect my DNS traffic/requests to a malicious DNS server other than the DNS servers specified on my computer? Aren't the DNS server IP addresses specified in the packets sent out by my computer? So, how can such a re-direction take place?

    The website I gave in my initial post talks about the ISP re-directing traffic even with a different DNS server(other than the ISP provided DNS servers) specified on the router. Can an attacker do the same when the DNS servers are specified on the computer itself?

  8. #18
    Join Date
    Oct 2012
    Beans
    55

    Re: A new threat?

    Quote Originally Posted by jsvidyad View Post
    From what I've seen so far, there seems to be issues in getting DNScrypt to work with ubuntu. Do you think it is actually necessary to adopt DNScrypt at all. Will it be enough if I specify trusted DNS servers on my computer itself instead of relying on my router or my ISP to specify the DNS servers? If I specify DNS servers on my computer, can an attacker still redirect my DNS traffic/requests to a malicious DNS server other than the DNS servers specified on my computer? Aren't the DNS server IP addresses specified in the packets sent out by my computer? So, how can such a re-direction take place?

    The website I gave in my initial post talks about the ISP re-directing traffic even with a different DNS server(other than the ISP provided DNS servers) specified on the router. Can an attacker do the same with the DNS servers specified on the computer itself?
    I found no difficulty setting up DNScrypt in ubuntu 12.04 (and if I can do it anyone can).

    I followed this:
    http://www.webupd8.org/2012/02/encry...inux-with.html
    It seems to work (ie it connects to OpenDNS, I wouldn't have a clue if it actually encrypts)

  9. #19
    Join Date
    Jul 2005
    Beans
    412

    Re: A new threat?

    Quote Originally Posted by OpSecShellshock View Post
    These are basically 2 different things if the ISPs are doing what I suspect. In the case of ISP redirections, even if you use alternative DNS, you are still sending requests and receiving responses over the ISP's infrastructure, so if the traffic is in the clear and you request a domain that doesn't exist, the ISP can intercept the NXDOMAIN response and serve the page with the ads on it anyway. That, I believe, is why something like DNSCrypt has been proposed as a solution. In this case the ISP is not changing the user's DNS server settings, they're just running a MiTM on the network traffic.

    If someone can get sufficient access to change DNS settings locally on your computer, they can also do anything else they want to with it, at least there on the local system. They probably won't be intercepting and manipulating network traffic, though.

    So the difference is, the ISP can do it because they own the network infrastructure, but the attacker only owns your computer itself.

    Hello, I guess my post wasn't too clear. What I wanted to ask was can an attacker do the kind of re-direction the ISP does in that article even in the case when I specify trusted DNS servers in my computer itself. I was not asking what happens if an attacker can change DNS servers on my computer. Sorry! My bad.

  10. #20
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    5,571
    Distro
    Xubuntu 14.10 Utopic Unicorn

    Re: A new threat?

    Quote Originally Posted by jsvidyad View Post
    From what I've seen so far, there seems to be issues in getting DNScrypt to work with ubuntu. Do you think it is actually necessary to adopt DNScrypt at all.
    That is your decision. Depends how paranoid you feel. At some point, you have to ask yourself if you really trust the OpenDNS servers (or their information sources).
    Will it be enough if I specify trusted DNS servers on my computer itself instead of relying on my router or my ISP to specify the DNS servers? If I specify DNS servers on my computer, can an attacker still redirect my DNS traffic/requests to a malicious DNS server other than the DNS servers specified on my computer?
    No and yes. No, specifying the IP address of a trusted server is not enopugh. Yes, and attacker can still redirect your DNS requests, or (more likely) just impersonate the DNS server you asked for. In my opinion that is "wire fraud" and is a criminal offence in many countries, but ISPs seem to get away with it anyway.
    Aren't the DNS server IP addresses specified in the packets sent out by my computer? So, how can such a re-direction take place?
    The ISP's equipment is forwarding your packets/messages. They are perfectly able to read your packets and substitude different contents whenever they want to. This could include redirecting or falsifying DNS queries or even connections to servers. This kind of message tampering is what encryption is trying to prevent.
    The website I gave in my initial post talks about the ISP re-directing traffic even with a different DNS server(other than the ISP provided DNS servers) specified on the router. Can an attacker do the same with the DNS servers specified on the computer itself?
    Yes. If the attacker controls any equipment along the path between your PC and some other computer you wish to talk to, he can simply monitor the connection, or fully impersonate whatever server you think you are talking to. Several ISPs simply modify the "DNS name not found" message (called NXDOMAIN) from DNS servers to send you to their own servers which then serve you pay-per-click adverts instead.
    Last edited by The Cog; November 24th, 2012 at 05:49 PM.

Page 2 of 3 FirstFirst 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •