On Fri, Sep 27, 2013 at 2:41 PM, Karl Malbrain <[email protected]> wrote:
> I'm concerned about three DNS security problems: > > 1. Passive surveillence of traffic going to DNS resolvers yielding > meta-data. > Use your own resolver and/or encrypt traffic to the resolver. e.g. Omnibroker. > 2. MITM who inserts himself between a particular DNS client and a > particular DNS resolver, and provids false addresses and certificates for > use in MITM attacks. > Authenticate messages between the client and resolver. e.g. Omnibroker. > 3. A larger adversary who installs his own DNS resolver for a given > geographic area by controlling the traffic at the router level into and out > of that area to redirect DNS traffic to his DNS resolver, and then inserts > MITM attacks on any connection out of the area he desires by supplying > bogus addresses and/or server certificates. > Tunnel your communication traffic to your chosen resolver via available channels, e.g. HTTP or UDP or DNS tunnel e.g. Omnibroker. > I'm not concerned at this time about an even larger adversary capable of > surveillence of all traffic in a given geographic area, yielding a complete > set of meta-data. > That is a harder problem but one that I suspect is not such a great deal due to caching. The NSA is only occasionally going to be able to match one of my requests to outbound traffic. A resolver could even obfusticate those. For example in the case of a cache miss make 20 DNS queries rather than one. -- Website: http://hallambaker.com/
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
