January 10 2012 by 
Cricket Liu (Infoblox)
For another angle on the risks of browser prefetching, read this paper by Srinivas Krishnan and Fabian Monrose. The authors describe algorithms that allow a hacker with access to a shared name server's cache to determine--with remarkable accuracy--what terms users with prefetching browsers are searching for.
Posted in DNS Security | 
1 comments
November 07 2011 by Cricket Liu (Infoblox)
Apparently there's a "massive" attack against DNS infrastructure underway in Brazil. Much of the initial reporting refers to the attack as cache poisoning, though Rod Rasmussen correctly points out that it's not "classic cache poisoning": the culprits allegedly worked at a Brazilian ISP and used default passwords to change the DNS settings on customer premises equipment, and modified the configurations of the ISP's recursive name servers to direct customers to bogus sites. ("Classic" cache poisoning attacks, of course, require no such special access to resolver or name server configuration to carry out.)
Besides raising the upsetting specter of collusion by the employees of ISPs, this threat brings us back to DNSSEC's "last mile" problem. While this would seem like a textbook example of the kind of threat DNSSEC should protect against, in fact DNSSEC wouldn't have been much help to most of the ISP's subscribers. Without a secure channel between a stub resolver, like the one on the laptop I'm typing on, and the local recursive name server, there's no foolproof way of determining that your name server has been replaced.
Posted in DNSSEC | DNS Security | 5 comments
August 31 2011 by Cricket Liu (Infoblox)
Boy, in just the last week, I've seen a number of notable developments in the world of DNS. You'd think that, after 25+ years, activity would die down a little!
First, OpenDNS and Google Public DNS announced that they're going to start trials of the extension described in draft-vandergaast-edns-client-subnet-00. Basically, that Internet Draft proposes a new EDNS0 option that would allow a recursive name server to include the IP address of the original stub resolver in the queries it sends to authoritative name servers. While at first blush that may not make sense - why would an authoritative name server care what the original querier's IP address was - recall that "authoritative name servers" are in many cases fancy global server load balancers run by content delivery networks, and that they want to decide where to direct you based on whereabouts on the Internet you live. Until now, if you used big recursive name servers in the sky such as OpenDNS's or Google Public DNS, you'd always look to a CDN like you were coming from whichever anycast instance you'd happened to be directed to. Now you can actually get a response that's meant for you.
Posted in DNS Security | 3 comments
June 01 2011 by Cricket Liu (Infoblox)
InfoWorld just gave their 2011 Technology Leadership Award to my old friend and frequent collaborator, Matt. Matt's worked tirelessly on the deployment of DNSSEC in some of the biggest and most important zones on the Internet, including the root zone, .com and .net - all of which, I'll note, went off without a hitch. That doesn't happen by chance. To think that when I met him, he was fresh out of Northwestern, interviewing for a job at HP.
Congratulations, Matt. It's an honor you richly deserve.
Oh, and dinner's on me!
Posted in DNSSEC | DNS Security | 0 comments
March 31 2011 by Cricket Liu (Infoblox)
The com zone's DS record was added to the root zone today, marking an important milestone in the deployment of DNSSEC. com is the largest zone on the Internet by most measures, containing over 90 million delegations. This means that the administrators of the corresponding 90 million subzones can sign their zones, and validating recursive name servers will be able to follow a continuous chain of trust from the root zone's public Key-Signing Key to validate arbitrary data in those zones.
Posted in DNSSEC | DNS Security | 2 comments