https://insanitybit.wordpress.com/20...2-04-system-8/
I wrote that a while back. It may still be relevant if they haven't changed anything.
https://insanitybit.wordpress.com/20...2-04-system-8/
I wrote that a while back. It may still be relevant if they haven't changed anything.
sig
From what I've seen so far, there seems to be issues in getting DNScrypt to work with ubuntu. Do you think it is actually necessary to adopt DNScrypt at all. Will it be enough if I specify trusted DNS servers on my computer itself instead of relying on my router or my ISP to specify the DNS servers? If I specify DNS servers on my computer, can an attacker still redirect my DNS traffic/requests to a malicious DNS server other than the DNS servers specified on my computer? Aren't the DNS server IP addresses specified in the packets sent out by my computer? So, how can such a re-direction take place?
The website I gave in my initial post talks about the ISP re-directing traffic even with a different DNS server(other than the ISP provided DNS servers) specified on the router. Can an attacker do the same with the DNS servers specified on the computer itself?
DNS Poisoning, and you don't have to hack any routers
That's interesting. But, you still haven't answered the question I asked in the post above yours.
over time i have reflected on DNS spoofing as well as the Man in the Middle attack. Both of these are designed to re-direct your computer to a Bad Place
IMHO these attacks are facilitated by our incomplete handling of the keys used in x.509 certificates: we really do not take the trouble to validate even the high level CA that we trust to sign certificates for all the various web sites that are out there
here's my view of this issue:
To really understand this you will need to understand the Trust Model that is used with Public Key Encryption:
the "gist" of it is simple: nothing is trusted until I have performed Due Diligence and validated whatever key(s) I need to trust.
For starters I would need to find the "fingerprint" for (e.g.) VeriSign's key. Then I would check their x.509 certificate and when I had veriifed their fingerprint I would sign therir certificate and set the Trust level to approve them to sign for other certificates.
Having done this, if a hacker tries to present a web page that appears to be validated by VeriSign -- by just making it look good -- that page will appear with an UNTRUSTED signature .... and the detection requirement for security is effected.
Sadly all of the above is "too much to trouble the customer with" at least in the view of the marketing people
of course the Governor of South Carolina may now be a bit more interested in this sort of thing...
in all fairness I should note that your x.509 certificates are delivered to your system by your browser OEM. They should be OK.
Last edited by mike acker; November 24th, 2012 at 03:07 PM. Reason: typing
These are basically 2 different things if the ISPs are doing what I suspect. In the case of ISP redirections, even if you use alternative DNS, you are still sending requests and receiving responses over the ISP's infrastructure, so if the traffic is in the clear and you request a domain that doesn't exist, the ISP can intercept the NXDOMAIN response and serve the page with the ads on it anyway. That, I believe, is why something like DNSCrypt has been proposed as a solution. In this case the ISP is not changing the user's DNS server settings, they're just running a MiTM on the network traffic.
If someone can get sufficient access to change DNS settings locally on your computer, they can also do anything else they want to with it, at least there on the local system. They probably won't be intercepting and manipulating network traffic, though.
So the difference is, the ISP can do it because they own the network infrastructure, but the attacker only owns your computer itself.
Hello, can someone please reply to the question I asked in my earlier post. I am giving that post below for your reference:
From what I've seen so far, there seems to be issues in getting DNScrypt to work with ubuntu. Do you think it is actually necessary to adopt DNScrypt at all. Will it be enough if I specify trusted DNS servers on my computer itself instead of relying on my router or my ISP to specify the DNS servers? If I specify DNS servers on my computer, can an attacker still redirect my DNS traffic/requests to a malicious DNS server other than the DNS servers specified on my computer? Aren't the DNS server IP addresses specified in the packets sent out by my computer? So, how can such a re-direction take place?
The website I gave in my initial post talks about the ISP re-directing traffic even with a different DNS server(other than the ISP provided DNS servers) specified on the router. Can an attacker do the same when the DNS servers are specified on the computer itself?
I found no difficulty setting up DNScrypt in ubuntu 12.04 (and if I can do it anyone can).
I followed this:
http://www.webupd8.org/2012/02/encry...inux-with.html
It seems to work (ie it connects to OpenDNS, I wouldn't have a clue if it actually encrypts)
Hello, I guess my post wasn't too clear. What I wanted to ask was can an attacker do the kind of re-direction the ISP does in that article even in the case when I specify trusted DNS servers in my computer itself. I was not asking what happens if an attacker can change DNS servers on my computer. Sorry! My bad.
That is your decision. Depends how paranoid you feel. At some point, you have to ask yourself if you really trust the OpenDNS servers (or their information sources).No and yes. No, specifying the IP address of a trusted server is not enopugh. Yes, and attacker can still redirect your DNS requests, or (more likely) just impersonate the DNS server you asked for. In my opinion that is "wire fraud" and is a criminal offence in many countries, but ISPs seem to get away with it anyway.Will it be enough if I specify trusted DNS servers on my computer itself instead of relying on my router or my ISP to specify the DNS servers? If I specify DNS servers on my computer, can an attacker still redirect my DNS traffic/requests to a malicious DNS server other than the DNS servers specified on my computer?The ISP's equipment is forwarding your packets/messages. They are perfectly able to read your packets and substitude different contents whenever they want to. This could include redirecting or falsifying DNS queries or even connections to servers. This kind of message tampering is what encryption is trying to prevent.Aren't the DNS server IP addresses specified in the packets sent out by my computer? So, how can such a re-direction take place?Yes. If the attacker controls any equipment along the path between your PC and some other computer you wish to talk to, he can simply monitor the connection, or fully impersonate whatever server you think you are talking to. Several ISPs simply modify the "DNS name not found" message (called NXDOMAIN) from DNS servers to send you to their own servers which then serve you pay-per-click adverts instead.The website I gave in my initial post talks about the ISP re-directing traffic even with a different DNS server(other than the ISP provided DNS servers) specified on the router. Can an attacker do the same with the DNS servers specified on the computer itself?
Last edited by The Cog; November 24th, 2012 at 05:49 PM.
Bookmarks