Stories
Slash Boxes
Comments

SoylentNews is people

posted by chromas on Thursday August 23 2018, @03:03AM   Printer-friendly

Arthur T Knackerbracket has found the following story:

Most people's DNS queries – by which browsers and other software resolve domain names into IP addresses – remain unprotected while flowing over the internet.

And that's because, you may not be surprised to know, the proposed standards to safeguard DNS traffic – such as DNSSEC and DNS-over-HTTPS – have yet to be fully baked and aren't yet widely adopted.

DNSSEC, for one, aims to prevent miscreants tampering with intercepted domain-name lookups by digital signing the answers – making any forgeries obvious to software. DNS-over-TLS and DNS-over-HTTPS aim to do this, too, and encrypt the queries so eavesdroppers on the network can't snoop on what sites you're visiting.

Without these safeguards in wide (or any) use, DNS traffic remains unencrypted and unauthenticated, meaning they can be potentially spied on and meddled with to redirect people to malicious websites masquerading as legit sites.

Researchers from universities in China and the US recently decided to check whether or not this is actually happening, and found that traffic interception a reality for a small but significant portion of DNS queries – 0.66 per cent of DNS requests over TCP – across a global sample of residential and cellular IP addresses.

The boffins [...] describe the results of their inquiry in a paper presented at this week's USENIX Security Symposium.

The paper, "Who Is Answering My Queries: Understanding and Characterizing Interception of the DNS Resolution Path," describes how the researchers set up a system to measure DNS interception across 148,478 residential and cellular IP addresses around the world.

Internet users may choose their own DNS resolvers, by manually pointing their applications and operating systems at, say, Google Public DNS (8.8.8.8) or Cloudflare (1.1.1.1). Usually, however, people accept whatever DNS resolver the network or their ISP automatically provides.

If an intermediary intercepts a DNS request, that isn't necessarily nefarious, but it could lead to undesirable consequences. At the very least, it deprives those using the internet of choice and privacy.

The researchers looked for providers spoofing the IP addresses of users' specified DNS resolvers to intercept DNS traffic covertly. They designed their study to focus on registered domains and to omit sensitive keywords, to avoid the influence of content censorship mechanisms.

They found DNS query interception in 259 of the 3,047 service provider AS collections tested, or 8.5 per cent. (The research paper uses the term "ASes," which stands for Autonomous Systems, networking terminology for a collection of IP address blocks assigned to ISPs and other organizations.)

[...] For internet users interested in checking whether their DNS resolver points where it should, the researchers created an online test, hosted at whatismydnsresolver.com. Alas, it's not https.

-- submitted from IRC


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Interesting) by Anonymous Coward on Thursday August 23 2018, @03:20AM (12 children)

    by Anonymous Coward on Thursday August 23 2018, @03:20AM (#725040)

    that would be the only acceptable choice and has been available for a decade

    Starting Score:    0  points
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  

    Total Score:   1  
  • (Score: 1, Interesting) by Anonymous Coward on Thursday August 23 2018, @03:29AM

    by Anonymous Coward on Thursday August 23 2018, @03:29AM (#725046)

    Tor can route DNS requests.

  • (Score: 3, Informative) by driverless on Thursday August 23 2018, @11:57AM (8 children)

    by driverless (4770) on Thursday August 23 2018, @11:57AM (#725162)

    The DNSSEC work dates back close to thirty years now (Bellovin in 1990), and people still don't care. Yeah, it's a theoretical weakness, and every now and then something happens that causes a bit of a panic, but overall it's just not broken enough to motivate people to go through the pain that a mass move to DNSSEC would entail. This one won't make any difference, DNS would have to be found to cause cancer, or global warming, or participation in Tump rallies, for anyone to want to take DNSSEC seriously.

    • (Score: 3, Insightful) by ledow on Thursday August 23 2018, @02:09PM (6 children)

      by ledow (5567) on Thursday August 23 2018, @02:09PM (#725205) Homepage

      No different to SMTP.

      If we can't wean people off something that basically allows their email to end up anywhere, read by anyone in the path (or anyone in control of ANY destination mailserver / forwarding mailserver), in plain text, without them ever knowing, then what chance do you have of securing DNS globally?

      • (Score: 2) by driverless on Thursday August 23 2018, @02:23PM (5 children)

        by driverless (4770) on Thursday August 23 2018, @02:23PM (#725212)

        STARTTLS has pretty much taken care of that one. It's good enough in most cases, and means Joe Sixpack doesn't need to learn all of PGP or S/MIME just to send a Sunday barbeque invitation to their neighbour.

        The SMTP analogy however is quite apt, most people don't care if anyone reads their mail, and/or assume no-one would want to, because it's boring and unimportant. So there's no motivation to apply much if any effort to secure it. Same with DNSSEC, they know that if they see the padlock on the Paypal page they're fine, why would they need anything more? And that's actually the case, they're going to get caught by malware or a corporate database breach or phishing (with or without optional DNSSEC and SSL certificate authentication for the phishing site), not by someone spying on DNS queries.

        • (Score: 2) by ledow on Thursday August 23 2018, @02:51PM (4 children)

          by ledow (5567) on Thursday August 23 2018, @02:51PM (#725223) Homepage

          No it hasn't.

          There is no guarantee that the intended recipient is the only person who can read the email.

          Literally anyone working in IT at the company that hosts the mailserver, anyone able to hijack their DNS even briefly, anyone running forwarding services (e.g. most domain hosts, etc.) can read, modify and re-transmit your email willy-nilly, even stripping it of further TLS protection before forwarding onto the intended destination.

          That's not "secure".

          I cannot send an email to you that a) you know is definitely from me, b) that I know only you and I could have read it (what you DO with it, from then on, is another matter), c) that YOU know only I and you could have read it. Without a ton of extra software outside the scope of email (you can say PGP but I could just PGP a Post-It and send that to you, it doesn't mean the Post-It or mail service is a secure transport medium).

          That's just ridiculous in 2018.

          It's like saying that using a TLS secure browser to access GMail means that the email you send from it "is secure". No. One part of one direction of the transit to ONE party (that's not the intended destination) enjoyed secure transit. Google could still be sitting there selling the email onto the NSA for all I know.

          Proper email security would provide them with nothing more than gobbledegook that can only be decrypted by YOU and the RECIPIENT.

          • (Score: 1) by Mike on Thursday August 23 2018, @05:52PM (1 child)

            by Mike (823) on Thursday August 23 2018, @05:52PM (#725303)

            Without a ton of extra software outside the scope of email (you can say PGP but I could just PGP a Post-It and send that to you, it doesn't mean the Post-It or mail service is a secure transport medium).

            Your looking for a solution to send authentic/encrypted messages between users. The users don't control the transport and the vast,vast majority of the time not the server end points.

            I think you are going to have an extremely difficult time coming up with an end-to-end security solution that does not have the encryption/authentication of a message under the control of the end user. That solution is either going to look something like PGP (or S/MIME) or it will require individual communication serves (.e.g email servers) that authenticated/encrypted connections directly to other user's servers. I think between the choice of having each user run their own server or use something like PGP, the something like PGP is going to be the winner.

            • (Score: 2) by driverless on Thursday August 23 2018, @11:41PM

              by driverless (4770) on Thursday August 23 2018, @11:41PM (#725474)

              the something like PGP is going to be the winner

              PGP has been around for more than a quarter of a century. Outside the hardcore geek community, it's use is essentially nonexistent. Heck, I barely use it because it's such a pain, and I am a hardcore geek who communicates mostly with other hardcore geeks. On the receiving end I get maybe two or three PGP-encrypted emails a year, and invariably zero of them actually needed encryption, they were just being sent by an even more extreme geek than myself.

              So I'm going to have to disagree with you there on PGP, or S/MIME, or anything else where the user is exposed to key management and signatures and all that other crap being a winner. STARTTLS is a winner. WhatsApp and Signal are winners. Encrypted/signed email isn't even an also-ran, it's lost in the noise margin.

          • (Score: 2) by driverless on Thursday August 23 2018, @11:37PM (1 child)

            by driverless (4770) on Thursday August 23 2018, @11:37PM (#725471)

            That's not "secure".

            I agree, it's not secure to a geek worried about geeky things that only geeks care about. To the general public, it's good enough. And more importantly, the amount of effort required to fix it vastly outweighs any minor benefit they may see from it.

    • (Score: 0) by Anonymous Coward on Friday August 24 2018, @03:16AM

      by Anonymous Coward on Friday August 24 2018, @03:16AM (#725579)

      We've been running our own authoritative DNS servers with DNSSEC and several other goodies for years. Surprisingly few clients query for signed responses.

      Even though DNS over TLS has been proposed for recursive servers, we're tempted to add support on port 853 on our authoritative servers.

      Would be nice to be able to use certificates from our own CA and validate them with DNSSEC signed TLSA instead of buying "trusted" certificates. May do that anyway.

  • (Score: 0) by Anonymous Coward on Thursday August 23 2018, @10:19PM (1 child)

    by Anonymous Coward on Thursday August 23 2018, @10:19PM (#725434)

    Also, qmail is the only acceptable MTA and has been available for over two decades.

    • (Score: 0) by Anonymous Coward on Thursday August 23 2018, @10:41PM

      by Anonymous Coward on Thursday August 23 2018, @10:41PM (#725445)

      Daniel J. Bernstein is the only acceptable software architect.