On Fri, 22 May 2020 22:38:19 +0100 Sad Clouds <[email protected]> wrote:
> It seems there are two main security enhancements for DNS: > > 1. DNSSEC - digital signatures for DNS records to verify they haven't > been tampered with. > > 2. DNS over TLS - encryption of DNS traffic for privacy. This goes via > port 853 and could be over TCP or UDP (DTLS), although it's not clear > to me if both TCP and UDP are always supported, of if it's mainly TCP. I've been doing some more research and came across this article on DNS hijacking https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html Some of the techniques they describe seem to follow these steps: 1. DNS account is compromised and either A or NS records are changed to point to a bogus server. 2. User connects to "email.mydomain.com" which is sent to a bogus server that acts as a "man in the middle", collecting credentials and then forwarding everything to the real "email.mydomain.com" I think TLS was designed to avoid "main in the middle" attacks, but it seems in this case a bogus server is using its own "valid" TLS certificate and then proxying connections to the real server. I don't quite understand how this works. Is it the case of somebody creating a second valid TLS certificate for "email.mydomain.com" in order to masquerade as a genuine email server? So if different CAs can issue such certificates, how do you mitigate such attacks? Isn't this a flaw in the PKI design to have different CAs that can vouch for the same domain? Under the "Prevention Tactics" the article talks about "revoking malicious certificates", but what tools/methods are there to tell you which certificates are malicious?
