SoylentNews is people
SoylentNews
While looking at the delegation paths for various top-level domains, Matthew Bryant noticed that the domains of 4 out of 7 nameservers for the .io TLD were available for registration:
It appeared that Gandi's API was returning that multiple .io nameserver domains were available for purchase! This does not necessarily mean you can actually register these domain names however, since in the past I had seen multiple incidents where registries would state a domain name was available but wouldn't allow the actual registration to go through due to the domain name being "reserved".
But when he tried anyway, his order went through, and after the registration finished his server began to receive DNS queries for .io domains.
Given the fact that we were able to take over four of the seven authoritative nameservers for the .io TLD we would be able to poison/redirect the DNS for all .io domain names registered. Not only that, but since we have control over a majority of the nameservers it's actually more likely that clients will randomly select our hijacked nameservers over any of the legitimate nameservers even before employing tricks like long TTL responses, etc to further tilt the odds in our favor.
One mitigating factor that should be mentioned is that the .io TLD has DNSSEC enabled. This means that if your resolver supports it you should be defended from an attacker sending bad/forged DNS data in the way mentioned above. That being said, as mentioned in a previous post DNSSEC support is pretty abysmal and I rarely encounter any support for it unless I specifically set a resolver up that supports it myself.
(Score: 3, Interesting) by ledow on Tuesday July 11 2017, @01:01PM (1 child)
Poisoning your DNS will flag warnings.
They won't be able to MITM your SSL if your DNS is set up correctly. In fact, NOBODY but you - certainly NOT your CA - knows your private key. Which gets pinned in browsers. That's why it's called a private key.
DNNSEC secures the DNS but will face practical considerations (i.e. interfaces on all cheap web hosts and domain forwarders to modify and re-sign their zones). In terms of securing your data across the web, it plays almost no part.
DNS is not considered authoritative on its own in modern browsers. You just need to make sure that you're pinning your certs, publishing the right records, and then any tampering - from the root nameserver down - will flag in any vaguely modern browser, much more than even just an expired certificate.
And your last line? Not likely. But it could be done today over a WebAssembly program with zero changes to your browser setup.
(Score: 2) by NCommander on Wednesday July 12 2017, @05:28AM
DNSSEC allows you to definitively determine if a cache poison attack is in place, as well as allowing for a chain-of-trust for things like TLSA to exist for out-of-protocol HTTPS key pinning. soylentnews.org and sylnt.us are both DNSSEC signed, but I haven't gotten around to deploying TLSA records for various reasons.
Still always moving