On Thu, 23 Apr 2009, 马迪 wrote:
As we all know, DNSSEC provides origin authentication and integrity assurance services for DNS data exchanged between DNS resolver and name-sever, while DNSSEC fails to give a means by which the DNS queries or responses transmitted between a host and a recursive server could be guaranteed integrity and authentication. For example, a malicious attacker might hijack the DNS query form a host and fake a response which will help he commit phishing. So I wonder, is there someone having a certain solution, more exactly a software implementation on host, to protect against such attack?
Aside from earlier comments made, I wanted to point out the difference in scale here. Poisoning an ISP's caching resolver is much more useful to phishing then poisoning my laptop's DNS packet to its hotspot resolver. For untargetted massive phising attacks, the last mile is really uninteresting. Of course, when it comes to industrial espionage or targetting CEO's or individuals specifically, the last mile attack might be worth it, though it's easier to send them spam emails to click on dancing bears. Of course, those individuals SHOULD be using IPsec when using untrusted networks for many reasons, one of which is to protect their DNS traffic. Paul _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
