Taking DNS Security for Granted


One of the hallway conversations I had yesterday was about how DNS is just hanging on by a thread from a security standpoint. The basic idea is that if I can control name resolution for you, I can phish you all day and you'll never know. Systems like OpenID are wholly dependent on the integrity of the DNS system.

One method an attacker can use to insert themselves in the DNS resolution process is a Wi-Fi hub. Whether it's a free hub acting as bait, or one someone has broken into, Wi-Fi hubs are a perfect place to subvert DNS. Once that's happened, you may type paypal.com into your browser, but you won't necessarily end up on Paypal's site. Sure, people can check certificates, but who does that?

A more insidious issue is ISPs who hijack "not found" returns as opportunities to display ads. It works like this. Say you type noworkie.windley.com into your browser. You should get a page saying that that domain wasn't found. We've all seen that. But, an ISP can intercept that "not found" return and instead give you an IP address for a server they control that has ads. For windley.com, that might not be a big deal, but what if you typed wwww.paypal.com and got back a page of ads, some of which are from phishers? You think you're clicking on something on a Paypal page, but you're not.

This practice is dangerous, but as far as I know not illegal. Technically, as the owner of windley.com, I and I alone ought to be able determine what subdomains of that domain resolve to. But there's no way to enforce that.

Most of us take DNS for granted, but that's not going to last, I'm afraid. It's the new frontier in subverting the infrastructure of the 'Net for nefarious purposes.