SoylentNews is people
SoylentNews
While looking at the delegation paths for various top-level domains, Matthew Bryant noticed that the domains of 4 out of 7 nameservers for the .io TLD were available for registration:
It appeared that Gandi's API was returning that multiple .io nameserver domains were available for purchase! This does not necessarily mean you can actually register these domain names however, since in the past I had seen multiple incidents where registries would state a domain name was available but wouldn't allow the actual registration to go through due to the domain name being "reserved".
But when he tried anyway, his order went through, and after the registration finished his server began to receive DNS queries for .io domains.
Given the fact that we were able to take over four of the seven authoritative nameservers for the .io TLD we would be able to poison/redirect the DNS for all .io domain names registered. Not only that, but since we have control over a majority of the nameservers it's actually more likely that clients will randomly select our hijacked nameservers over any of the legitimate nameservers even before employing tricks like long TTL responses, etc to further tilt the odds in our favor.
One mitigating factor that should be mentioned is that the .io TLD has DNSSEC enabled. This means that if your resolver supports it you should be defended from an attacker sending bad/forged DNS data in the way mentioned above. That being said, as mentioned in a previous post DNSSEC support is pretty abysmal and I rarely encounter any support for it unless I specifically set a resolver up that supports it myself.
(Score: 4, Insightful) by VLM on Tuesday July 11 2017, @12:36PM (3 children)
DNSSEC is useless.
Its a turf war between the corrupt CA root cert monopoly and another group trying to become a corrupt centralized monopoly using different tech.
Ironically there's little difference WRT "do no evil" between Verisign the CA and Verisign the DNS registrar, so often it doesn't matter who "wins".
It makes http DNS spoofing slightly more difficult but if the aggressor owns so much infrastructure that they're poisoning your DNS while also MITM your https/SSL connections, oh just throw in the towel because thats far more resources than it takes to own both endpoints completely, which they already do, so ...
The world of the future isn't HTTP(s) and all that junk anyway. Your browser will connect to your bank's VPN and you'll get a rdesktop/vnc -like connection. You can either head directly to it today or take the long way around, its the same destination no matter how much NIH and reinvention.
(Score: 3, Interesting) by ledow on Tuesday July 11 2017, @01:01PM (1 child)
Poisoning your DNS will flag warnings.
They won't be able to MITM your SSL if your DNS is set up correctly. In fact, NOBODY but you - certainly NOT your CA - knows your private key. Which gets pinned in browsers. That's why it's called a private key.
DNNSEC secures the DNS but will face practical considerations (i.e. interfaces on all cheap web hosts and domain forwarders to modify and re-sign their zones). In terms of securing your data across the web, it plays almost no part.
DNS is not considered authoritative on its own in modern browsers. You just need to make sure that you're pinning your certs, publishing the right records, and then any tampering - from the root nameserver down - will flag in any vaguely modern browser, much more than even just an expired certificate.
And your last line? Not likely. But it could be done today over a WebAssembly program with zero changes to your browser setup.
(Score: 2) by NCommander on Wednesday July 12 2017, @05:28AM
DNSSEC allows you to definitively determine if a cache poison attack is in place, as well as allowing for a chain-of-trust for things like TLSA to exist for out-of-protocol HTTPS key pinning. soylentnews.org and sylnt.us are both DNSSEC signed, but I haven't gotten around to deploying TLSA records for various reasons.
Still always moving
(Score: 5, Interesting) by KiloByte on Tuesday July 11 2017, @05:44PM
DNSSEC is not perfect but it's so insanely better than the CA model that it's outright sabotage to fail to support it.
And guess who's the main villain here. Hint: the same person who breaks your sound, mounting degraded RAID, POSIX-mandated user names or booting if there's any real or perceived trouble. He went to disable DNSSEC support (a default sadly copied by most distributions) because his mother has a FritzBox router that uses falsified "fritz.box" domain without bothering to properly register and sign it.
Ceterum censeo systemd esse delendam.