Stories
Slash Boxes
Comments

SoylentNews is people

posted by chromas on Thursday August 23 2018, @03:03AM   Printer-friendly

Arthur T Knackerbracket has found the following story:

Most people's DNS queries – by which browsers and other software resolve domain names into IP addresses – remain unprotected while flowing over the internet.

And that's because, you may not be surprised to know, the proposed standards to safeguard DNS traffic – such as DNSSEC and DNS-over-HTTPS – have yet to be fully baked and aren't yet widely adopted.

DNSSEC, for one, aims to prevent miscreants tampering with intercepted domain-name lookups by digital signing the answers – making any forgeries obvious to software. DNS-over-TLS and DNS-over-HTTPS aim to do this, too, and encrypt the queries so eavesdroppers on the network can't snoop on what sites you're visiting.

Without these safeguards in wide (or any) use, DNS traffic remains unencrypted and unauthenticated, meaning they can be potentially spied on and meddled with to redirect people to malicious websites masquerading as legit sites.

Researchers from universities in China and the US recently decided to check whether or not this is actually happening, and found that traffic interception a reality for a small but significant portion of DNS queries – 0.66 per cent of DNS requests over TCP – across a global sample of residential and cellular IP addresses.

The boffins [...] describe the results of their inquiry in a paper presented at this week's USENIX Security Symposium.

The paper, "Who Is Answering My Queries: Understanding and Characterizing Interception of the DNS Resolution Path," describes how the researchers set up a system to measure DNS interception across 148,478 residential and cellular IP addresses around the world.

Internet users may choose their own DNS resolvers, by manually pointing their applications and operating systems at, say, Google Public DNS (8.8.8.8) or Cloudflare (1.1.1.1). Usually, however, people accept whatever DNS resolver the network or their ISP automatically provides.

If an intermediary intercepts a DNS request, that isn't necessarily nefarious, but it could lead to undesirable consequences. At the very least, it deprives those using the internet of choice and privacy.

The researchers looked for providers spoofing the IP addresses of users' specified DNS resolvers to intercept DNS traffic covertly. They designed their study to focus on registered domains and to omit sensitive keywords, to avoid the influence of content censorship mechanisms.

They found DNS query interception in 259 of the 3,047 service provider AS collections tested, or 8.5 per cent. (The research paper uses the term "ASes," which stands for Autonomous Systems, networking terminology for a collection of IP address blocks assigned to ISPs and other organizations.)

[...] For internet users interested in checking whether their DNS resolver points where it should, the researchers created an online test, hosted at whatismydnsresolver.com. Alas, it's not https.

-- submitted from IRC


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Friday August 24 2018, @03:16AM

    by Anonymous Coward on Friday August 24 2018, @03:16AM (#725579)

    We've been running our own authoritative DNS servers with DNSSEC and several other goodies for years. Surprisingly few clients query for signed responses.

    Even though DNS over TLS has been proposed for recursive servers, we're tempted to add support on port 853 on our authoritative servers.

    Would be nice to be able to use certificates from our own CA and validate them with DNSSEC signed TLSA instead of buying "trusted" certificates. May do that anyway.