On Tue, Oct 22, 2013 at 6:20 PM, Rubens Kuhl <rube...@nic.br> wrote: > > Which brings me to the topic of resolver-behind-upstream attacks which > were not commented upon. > As you know, one of the recommendations of experts and Internet operators, > following Kaminsky attack, was `either deploy patches or configure your > resolver to use a secure upstream forwarder`, e.g., OpenDNS was typically > recommended. The security is established since the resolver is hidden from > the Internet and sends its requests only via its upstream forwarder. > This configuration is still believed to be secure and is recommended by > experts. > > > Would DNSCrypt, supported by OpenDNS, be a possible mitigation to this > issue ? > > > As you know we found vulnerabilities in such configuration, and designed > techniques allowing to find the IP address of the hidden resolver, and then > to discover its port allocation (the attacks apply to per-destination ports > recommended in [RFC6056] or to fixed ports). > This attack can be extremely stealthy and efficient, and applies to > networks where communication between the resolver and upstream forwarder is > not over TCP, and therefore can be fragmented (fragmentation of a single > byte suffices). > > > Would IPSEC between resolver and upstream forward be a possible mitigation > to this issue ? > > > Sure, both solve the problem. In particular, any secure channel protocol, between the proxy resolver and an upstream forwarder, prevents the attacks.
> Rubens > > -- Haya Shulman Technische Universität Darmstadt**** FB Informatik/EC SPRIDE**** Mornewegstr. 30**** 64293 Darmstadt**** Tel. +49 6151 16-75540**** www.ec-spride.de
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs