nanog mailing list archives
RE: DNS Hijacking by Cox
From: "Marcus H. Sachs" <marc () sachsfamily net>
Date: Sun, 22 Jul 2007 22:04:50 -0400
DNSSEC provides source authenticity and data integrity. You may get a bogus answer, but with DNSSEC in place at least you have a way of verifying the bogosity (is that a word?) of the reply. I agree with Steve, DNSSEC won't stop these tricks but it makes them detectable. I'm a Cox user at home but I have my Linksys home router configured to use DNS servers of my own choosing rather than Cox' choice. I also tunnel my email through SSH to a mail server I control so that I'm not blocked by their port 25 filters. Marc -----Original Message----- From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of Steven M. Bellovin Sent: Sunday, July 22, 2007 9:46 PM To: Patrick W. Gilmore Cc: nanog () merit edu; Patrick W. Gilmore Subject: Re: DNS Hijacking by Cox On Sun, 22 Jul 2007 21:40:05 -0400 "Patrick W. Gilmore" <patrick () ianai net> wrote:
On Jul 22, 2007, at 9:29 PM, Steven M. Bellovin wrote:On Sun, 22 Jul 2007 14:56:13 -0700 "Andrew Matthews" <exstatica () gmail com> wrote:It looks like cox is hijacking dns for irc servers.And people wonder why I support DNSsec....Steve, One of us is confused. It might be me, but right now I think it's you. To be clear, here is the situation as I understand it: Cox has configured their recursive name servers such that when an end user queries the recursive server for a specific host name (names?), the recursive server responds with an IP address the host's owner did not configure. How exactly is DNSSEC going to stop them from doing this?
If my host expects the response to be signed and it isn't, my host can scream bloody murder. The whole point of DNSSEC is to prevent random changes to DNS replies, whether by hackers or by ISPs. Yes, they can change it, but they can't change it without being caught. --Steve Bellovin, http://www.cs.columbia.edu/~smb
Current thread:
- Re: DNS Hijacking by Cox, (continued)
- Re: DNS Hijacking by Cox Joe Greco (Jul 23)
- RE: DNS Hijacking by Cox Raymond L. Corbin (Jul 23)
- Re: DNS Hijacking by Cox Joe Greco (Jul 23)
- RE: DNS Hijacking by Cox David Schwartz (Jul 23)
- Re: DNS Hijacking by Cox Andrew Matthews (Jul 23)
- Re: DNS Hijacking by Cox Joe Greco (Jul 22)
- Re: DNS Hijacking by Cox Patrick W. Gilmore (Jul 22)
- Re: DNS Hijacking by Cox Steven M. Bellovin (Jul 22)
- Re: DNS Hijacking by Cox John C. A. Bambenek (Jul 22)
- RE: DNS Hijacking by Cox Marcus H. Sachs (Jul 22)
- Re: DNS Hijacking by Cox Steven M. Bellovin (Jul 22)
- Re: DNS Hijacking by Cox James Hess (Jul 22)
- Re: DNS Hijacking by Cox Perry Lorier (Jul 23)
- Re: DNS Hijacking by Cox Sean Donelan (Jul 23)
- Re: DNS Hijacking by Cox James Hess (Jul 23)
- Re: DNS Hijacking by Cox Perry Lorier (Jul 23)
- Re: DNS Hijacking by Cox Mattias Ahnberg (Jul 24)
- Re: DNS Hijacking by Cox Peter Dambier (Jul 24)
- Re: DNS Hijacking by Cox Mattias Ahnberg (Jul 25)
- Re: DNS Hijacking by Cox Peter Dambier (Jul 25)