Stories
Slash Boxes
Comments

SoylentNews is people

posted by chromas on Thursday August 23 2018, @03:03AM   Printer-friendly

Arthur T Knackerbracket has found the following story:

Most people's DNS queries – by which browsers and other software resolve domain names into IP addresses – remain unprotected while flowing over the internet.

And that's because, you may not be surprised to know, the proposed standards to safeguard DNS traffic – such as DNSSEC and DNS-over-HTTPS – have yet to be fully baked and aren't yet widely adopted.

DNSSEC, for one, aims to prevent miscreants tampering with intercepted domain-name lookups by digital signing the answers – making any forgeries obvious to software. DNS-over-TLS and DNS-over-HTTPS aim to do this, too, and encrypt the queries so eavesdroppers on the network can't snoop on what sites you're visiting.

Without these safeguards in wide (or any) use, DNS traffic remains unencrypted and unauthenticated, meaning they can be potentially spied on and meddled with to redirect people to malicious websites masquerading as legit sites.

Researchers from universities in China and the US recently decided to check whether or not this is actually happening, and found that traffic interception a reality for a small but significant portion of DNS queries – 0.66 per cent of DNS requests over TCP – across a global sample of residential and cellular IP addresses.

The boffins [...] describe the results of their inquiry in a paper presented at this week's USENIX Security Symposium.

The paper, "Who Is Answering My Queries: Understanding and Characterizing Interception of the DNS Resolution Path," describes how the researchers set up a system to measure DNS interception across 148,478 residential and cellular IP addresses around the world.

Internet users may choose their own DNS resolvers, by manually pointing their applications and operating systems at, say, Google Public DNS (8.8.8.8) or Cloudflare (1.1.1.1). Usually, however, people accept whatever DNS resolver the network or their ISP automatically provides.

If an intermediary intercepts a DNS request, that isn't necessarily nefarious, but it could lead to undesirable consequences. At the very least, it deprives those using the internet of choice and privacy.

The researchers looked for providers spoofing the IP addresses of users' specified DNS resolvers to intercept DNS traffic covertly. They designed their study to focus on registered domains and to omit sensitive keywords, to avoid the influence of content censorship mechanisms.

They found DNS query interception in 259 of the 3,047 service provider AS collections tested, or 8.5 per cent. (The research paper uses the term "ASes," which stands for Autonomous Systems, networking terminology for a collection of IP address blocks assigned to ISPs and other organizations.)

[...] For internet users interested in checking whether their DNS resolver points where it should, the researchers created an online test, hosted at whatismydnsresolver.com. Alas, it's not https.

-- submitted from IRC


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Thursday August 23 2018, @06:09PM

    by Anonymous Coward on Thursday August 23 2018, @06:09PM (#725316)

    there are not that many dns servers that can use the root.hints file.
    notably the notoriously buggy bind is one.
    curiously enough this is strong idication that most internet users have no clue about how the internet works(*).
    which leads me to suggest that this (identity) is still a soft and mushy avenue the big internet companies can use to bind (lol) the average user whoelly and totally to themselfs...

      the new internet is not about technical freedom but profit.

    they will be emoticon-insert-sadface they didnt care sooner in the not so distant government-corporation future.