| Abstract |
The Domain Name System underlies almost any transaction on the internet, from sending email to visiting a web page. Its security and reliability are therefore of paramount importance. This presentation will outline the nature of threats to the DNS, complete with numbers quantifying the risks. In addition, popular and future countermeasures will be discussed, and their impact on DNS. Risks examined include blind spoofing, triggered blind spoofing, NAT-aware blind spoofing, modern cache poisoning techniques and DNS nameserver record dependency exploitation. Additionally, the danger and consequences of man in the middle attacks will be discussed. One of the more interesting conclusions is that despite widespread hype, the famous 'Kaminsky spoof' is very impracticable on a modern DNS resolver, even if it does not implement specific countermeasures. Numbers will be shown to outline why this is so hard. Finally, some words will be spent discussing how DNSSEC could address the problems mentioned above. The hope is that this will lead to constructive discussion later during the event.
|
top
