That particular case I have been told is protected against by using DNSSEC, which ensures the host will detect the fraudulent answer to this directed attack and will fall back to use other DNS server (or fail)...
If the host would have been single-homed, it would have send all its queries to the interface this attacker has control over. Teemu > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of ext Andrew Sullivan > Sent: 14. tammikuuta 2011 18:01 > To: [email protected] > Subject: Re: [DNSOP] draft-savolainen-mif-dns-server-selection-06.txt > > On Fri, Jan 14, 2011 at 03:53:25PM +0000, [email protected] > wrote: > > > > Shouldn't we work e.g. on securing all DHCPv6 signaling? > > I would say so, yes. > > But note that this particular option makes it easier to target one > domain in particular. That's a more directed attack, so it seems to > me to be a little more serious than "capture all the traffic". It's > hard to spoof the entire Internet. It might not be so hard to spoof > mycompany.com. > > A > > -- > Andrew Sullivan > [email protected] > Shinkuro, Inc. > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
