  ronpinImagine Reality
join:2002-12-06
Nirvana | DNS outdated DNS was cool when speeds were slow and memory expensive. Now we could all run our very own DNS servers on the cheap. Why not?
--
50% of Americans vote - 30% are repugs -- do the math. | |
|
 |
1 edit | Re: DNS outdated You could, but why would you want to increase the load on authoritative DNS servers out there? Right now, if you type in www.google.com, if you don't have the IP address already cached, your machine queries your ISP's DNS server, which already knows the correct IP address. Google's nameservers only get queried if your ISP doesn't have an IP address cached on their DNS servers. If everyone was running DNS, Google's servers are going to get hammered, since queries won't just be coming from a few thousand ISPs but from a few hundred million users.
Also, as hard as it is to patch DNS servers now, can you imagine if everyone was running DNS? Instead of patching a few thousand machines, you'd have to patch a few hundred million. | |
|
| |  sivranBack to Opera againPremium
join:2003-09-15
Arlington, TX
kudos:1
 ·RoadRunner Cable
| Re: DNS outdated Right. Just run a local, caching DNS server that's configured to forward on to the ISP (or Open, or Level3) if it doesn't know the answer. No need for an end-user DNS to go straight to the authority, just up to the next link in the chain.
Mine currently forwards to OpenDNS for whatever it doesn't know.
--
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon profitable cause... | |
|
| | | | | Re: DNS outdated That is how DNS works.
If you have a DNS server and it does not have the answer it goes to the authoritive DNS server that is configured for it. It won't be going to Googles as mentioned above, it will eventually go to the root .com server which is what controls all .com DNS names. | |
|
|  NerdtalkerWorking Hard, Or Hardly Working?Premium,MVM
join:2003-02-18
Tucson, AZ | Or you could just use OpenDNS, which, by the way, was secure the whole time.
::shrug:: | |
|
| | | |  Re: DNS outdated
--
Yo te digo, el mundo esta jodido | |
|
| | | well let's see, if the URL is not cached in your dns server, it has to ask for it in another server (not yours). if that server's record is incorrect, well guess what, yours will be incorrect.
i also don't really see the advantage of running your own DNS server for most people. sure it may be faster, but the dns retrieval is nearly nothing compared to the downloading of content and then processing. | |
|
|
 ztmikeMark for moderationPremium
join:2001-08-02
Michigan City, IN | DNS flaw.. All these "experts" keep putting out that there's security flaws, yet nothing ever happens..
OmGz teh interwebs is going to FaIL!!!1!1 ...
Hasn't happened and until it does, I'll keep yawning.
--
WhY sO SeRiOUs!? | |
|
| | | Re: DNS flaw.. And this is the same attitude that keeps many users from cleaning the viruses, worms, and trojans off their machines.
If this exploit turns out to be as easy as it's reported to be, you're going to see it used a lot. The Internet won't fail, but a lot of folks are going to get scammed. If you don't think it will happen, check your spam folder and see all the phishing attempts out there. Right now, if you're a careful user and don't get infected, you can be reasonably safe. If this DNS exploit is used, you won't be able to trust any site you're visiting as being legit. | |
|
| | | | Re: DNS flaw.. We will see it a lot only because:
step 1 - alter dns records
step 2 - ?????
step 3 - profit | |
|
| | | mworks
join:2006-06-13
Faison, NC | Re: DNS flaw.. said by insomniac84:We will see it a lot only because: step 1 - alter dns records step 2 - ????? step 3 - profit Alter a site like bank of america, grab login info for just 5 minutes and walk away with thousands . | |
|
| | | | | Ah, but I can complete that for you.
step 1 - alter dns records
step 2 - redirect users from legit commerce and banking sites to lookalike phishing sites
step 3 - grab credit card numbers and usernames/passwords
step 4 - shop with stolen cards, sell stolen card numbers, and drain bank accounts
step 5 - profit | |
|
| | | | | | Re: DNS flaw.. never understood people that shopped online with stolen credit card numbers. if i buy a plasma...dont i have to have it "shipped somewhere"? | |
|
| | | | | | | Re: DNS flaw.. You'd think that would be a deterrant, but people seem to still get away with it. And I'd imagine many stolen card numbers would be printed on counterfeit cards and used overseas. I doubt a shop in Moscow or Shanghai is going to care too much if a card is stolen as long as the transaction is approved. The shop owner is going to sell the goods for a profit, and they can always deny they knew the card was stolen if they're asked about it.
Still, I think the big money would be in selling the numbers. The seller gets their money, and the buyers use the cards until they're canceled. | |
|
| | | | |  morboComplete Your Transaction
join:2002-01-22
00000
·Charter
| said by baineschile1 :
never understood people that shopped online with stolen credit card numbers. if i buy a plasma...dont i have to have it "shipped somewhere"?
there's no real enforcement out there for these smallish crimes. local police won't touch it and credit card companies prefer to write it off, as long as it's not too much.
the lawyers and effort would cost them more than it's worth.
sad but true. | |
|
| | | | | | | You can get away with using stolen card numbers for intangible things like memberships to sites, or for purchasing more domain names/hosts. | |
|
| | | | |
1 edit | said by baineschile1 :
never understood people that shopped online with stolen credit card numbers. if i buy a plasma...dont i have to have it "shipped somewhere"?
People will ship to other addresses and attempt to intercept the package. It happened to my grandma. She got a package with what she refers to as computer thing. Calls the shipper and the company and neither cared it wasn't hers and she didn't pay for it. (Maybe the companies all assumed it must have been a gift because no one reported fraud?) But a few days later some kid comes to her door and says he heard she got a package. She knowing there was no way this was possible, she told him he could have it if he calls UPS and get them to authorize her to give it to him. She never saw him again and after a few months (in case someone did want it back) she told me about it. It was a mediocre video card and I think I ended up putting in an aunt's computer. | |
|
| | | |  dvd536as Mr. Pink as they comePremium
join:2001-04-27
Phoenix, AZ
kudos:4 | said by ISurfTooMuch:Ah, but I can complete that for you. step 1 - alter dns records step 2 - redirect users from legit commerce and banking sites to lookalike phishing sites step 3 - grab credit card numbers and usernames/passwords step 4 - shop with stolen cards, sell stolen card numbers, and drain bank accounts step 5 - profit step 4.5 - sell booty on ebay.
--
When I gez aju zavateh na nalechoo more new yonooz tonigh molinigh - Ken Lee | |
|
| | | | | Am I the only person that gets the reference to the Underpants Gnomes? | |
|
| | | | | | Re: DNS flaw.. said by Waffle_SS:Am I the only person that gets the reference to the Underpants Gnomes? Nope! It's pretty tough to miss it, if you're "in the know"... 
- Tate
--
Happiness is an OC-768 in your basement... | |
|
| |
| | | | Re: DNS flaw.. It doesn't happen if the ISPs take heed and patch their DNS servers. If you read the article, you'd see that many have yet to do so.
Issuing warnings is great, but warnings don't fix the problem. Acting on those warnings does, and many ISPs seem to be asleep at the switch. | |
|
| | | |
| |
mworks
join:2006-06-13
Faison, NC | Add charter Add charter to the list of unpatched servers.
Ones in my area, NC are vulnerable . | |
|
| | Home routers still vulnerable? Some (Belkin comes to mind) routers provide a local DNS cache for the LAN side. I'm not aware of any large scale push to get owners to upgrade their router firmware.
Perhaps the same attack can still work? | |
|
| | | Re: Home routers still vulnerable? Firmwares? What are firmwares? Never heard of 'em.
Yeah, I agree with you, but this is the reaction you're going to get from many people. They can't even secure their routers. They don't have a clue what firmware is or how to update it. | |
|
| | dvd536as Mr. Pink as they comePremium
join:2001-04-27
Phoenix, AZ
kudos:4 | Re: Home routers still vulnerable? said by ISurfTooMuch:Firmwares? What are firmwares? Never heard of 'em. Yeah, I agree with you, but this is the reaction you're going to get from many people. They can't even secure their routers. They don't have a clue what firmware is or how to update it. People are getting better about securing their routers. i used to have 6 open routers avail to me, now only have two. it'll get even better as pay ber byte comes.
--
When I gez aju zavateh na nalechoo more new yonooz tonigh molinigh - Ken Lee | |
|
| | | | | Re: Home routers still vulnerable? I'm seeing more secured as well, but I chalk that up to living near lots of college students who are more tech-savvy. There are plenty of open ones out there, though. I have a friend whose WRT54G occasionally craps out on him. Instead of just rebooting it, he just disconnects it and plugs his cable modem directly into his desktop. I usually discover this when I take my laptop over there and discover there's either no signal or no Internet access. So there's still a learning curve for many people. | |
|
|
mworks
join:2006-06-13
Faison, NC | Patch is just a bandaid It appears the patch is only a temporary fix. It makes it harder to exploit the dns servers, but it cannot prevent it. DNS was just not designed as a secure system. The makers did not have that in mind. | |
|
| | | Re: Patch is just a bandaid said by mworks:It appears the patch is only a temporary fix. It makes it harder to exploit the dns servers, but it cannot prevent it. DNS was just not designed as a secure system. The makers did not have that in mind. Okay since this will affect banks and financial institutions the most because of phising attacks, can the following be used to reduce the threat? These secure sites should already have certificates. The banks need to update their certificates for their IP address rather than the name of the URL. Then the links to the secure sites need to be changed from the URL to the IP address. For example: the link to "https://www.coolbank.com/securelogin.asp" would be changed to "https://172.16.100.1/securelogin.asp". By doing this, the web browser verifies the certificates name against the banks authentic IP address instead of verifying the certificates name against the name of the URL, which can be spoofed. The user can then have confidence in the site once the browser displays a secure connection. | |
|
| | | | Re: Patch is just a bandaid Maybe you are on to something here, the doxpara website makes a statement on SSL certs: "SSL is not the panacea it would seem to be". So will this work? Can secure websites find a way to verify their certs against their true IP address rather than verifying against the URL. Surely this would cut down on phishing schemes. | |
|
| | I wish They would stop saying "Dan Kaminsky discovered...". He didn't discover anything, he just brought to light an issue that's been out there for years and used his professional sway to influence the right people.
The issue with DNS is nothing new, people. Please stop glorifying him for "discovering" anything. Praise him for using political muscle to get the right people to pay attention to it finally, but that's it. | |
|
| jamesvPremium
join:2003-03-08
Austin, TX | Re: I wish said by ReVeLaTeD:The issue with DNS is nothing new, people. Please stop glorifying him for "discovering" anything. Praise him for using political muscle to get the right people to pay attention to it finally, but that's it. It's a novel way to poison a cache, one that might evade attempts to prevent more obvious poisoning schemes.
I don't know of anyone claiming priority over Kaminsky on this so he should get the credit. | |
|
|
|
Another tool provides info on all DNS servers configured
