http://www.securiteam.com/securitynews/5VP0L0UM0A.html

and somewhat dated regarding preventing DNS spoofing

http://www.faqs.org/ftp/internet-drafts/draft-hubert-dns-anti-spoofing-00.txt

@junheax

Basically even BIND9 appears to suffer from this, so the final solution has yet to be found (regarding BIND that is).

You are pointing into the right direction, but it’s little use trying to get internet users more aware of the way internet works. I for one have no need to explain my parent (typical mainstream internet users) the intricate details of package routing,DNS and such.
For them it just has to work, regardless of the mechanism behind it.

I for one think it’s an ISP task to keep their farm up to date and not for their clients to bother them about an out of date BIND version. They provide the gateway to the internet and should do their utmost to prevent this kind of stuff.
On the other side the users should be made aware of the ease with which data can be stolen or harvested from them and not depend blindly on their ISP keeping up the latest in security
Actually the browser provider (MS, Mozilla,Opera,etc) have the unique opportunity to enlighten their users by simply explaining at the first start up the advent of a) an up to date browser and b) secure DNS/etc (and not some dumb-ass dialog about what search engine to use)

Yes, this is something that needs a proactive messures. Education is key but so far it has failed (most ISP DNS are vulnerable to poisoning as the run old versions of BIND).

There are interim solutions until the Internet gets upgraded to DNSSEC such as running the lastest BIND version with anti-DNS forgery firewall rules or running OpenDNS that randomizes the ports to add a crypto security layer against forgery attacks.

The problem as i see it is that this vulnerability affects web clients the most but it is only visible and fixable in DNS servers. A possible conflict of interests arises between web clients and ISPs as to the priority of fixing these bugs (especially -as pointed before- considering that the classic ISP client knows so little).

So how to educate ISP clients (most home PC users) and tell them to tell their ISPs to keep their DNS software up to date? The answer to this has business and legal implications.

Not something to take lightly. It would be ideal for anyone involved in computer law to give his or her opinion.

cheers,
Andres

Considering the fact that it took them .., what was it.. 8 years?, to develop DNSSEC, I think 3-5 is a little optimistic. But let’s hope that this discussion speeds things up a little.

Like I said before, dnssec isn’t so difficult to implement on small resolvers, but alot harder to implement on the larger ones.

I fear with you that we haven’t seen the last of this one. As for the Dutch banking systems, they are regarded as the safest in the world. So Dutch banks are willing to do whatever it takes to stay there.

The only way to get better security from man-in-the-middle attacks is to have one time only disposable keys for every transaction, ie, when you order your bank to make a transfer, they’ll ask for key #1385 and they’ll never ask for it again… if the process of generating those keys is really random (and the order by which they are asked also) you’ll have an almost safe system. Assuming that the key-list hasn’t been intercepted, of course. This can also be done by some sort of algorithm, although it’s more expensive and exploitable.

A traceroute is a nice idea, but since the ’round robin’ way to reach the desired host the output will be hard to interpret.

You will get a SSL-warning-popup-window if you visit a DNS poisioned SSL site, as long as the fake cert is not signed by a authorized company, and its quite difficult to create a valid signed certificate if you dont work at the company being faked.
I only heard of one case where someone managed to create/obtain a valid fake cert.

@goodpeople
I dont think there will be any other solution than DNSSEC, however it will probably take another 3-5 years before “everyone” have installed DNSSEC. http://www.ccnso.icann.org/surveys/dnssec-survey-report-2007.pdf

If there existed another easy solution to this problem, we would already have had it by now.

For everyday use it poses no real thread, perhaps some minor problem but beyond the real dangers of DNS poisoning. No one gives anything for poisoned DNS as long as they can download their stuff.

I am familair with the dutch system (Rabobank etc), this two way identify system works quite well. But even you should know that ABN AMRO quite recently released a mailing to their clients warning about websites posing as ABN’s internet banking site. They quite rigorously renewed their website to up the score. If you where to combine a good copy-cat website along with DNS poisoning you might just be able to fool enough average internet consumers into entering their data and allow some one else to do some alternate transactions. This exactly why we are suffering from the clumsy “3x times knocking campaign” (www.3xkloppen.nl) sending some people on a wild goose chase.

Since more average users are using secured internet transactions for either banking or simple online shopping,the possible impact of poisoned DNS is big. Like mentioned before, unless you actually read the SSL certificate (I guess only the really paranoid do that) it will be even hard to detect a fraudulant SSL connection, you have just lost one of three checkpoints according to the campaign. Sadly the SSL connection and certificate are highly regarded upon so I think you actually lose more than just one check, since most people will simply not look beyond a fraude presenting itself through an SSL website.
We aress is we haven’t seen the end of this one.e getting into repetition here, but again, educations is the key.
My guess is we haven;t seen the last of this one.