Tutorial de DNS
Finally Google has indexed me and now we finally exist, as you all well know if Google can't find it either it doesn't exist or is not worth it. I hope overtime I'll get some popularity and I'll rise in Google Rank.
I have started to add a tutorial about DNS (Domain Name Service), which although is one of the most important Internet protocols it's also one of the most unknown, DNS is in charge of converting www.shenron.es
into an IP address for the web browser whenever somebody types it in the address bar, so the browser knows where to go for my web page. The main reason I'm writing about DNS is that after Dan Kaminsky found important weeknesses in DNS it's again at the front of the news.
These vulnerabilities were known but were considered difficult to exploit, Kaminsky discovery is worsened by the loose management a lot of organizations have over their Internet critical infrastructure. These are a couple of examples:
- Spoofing: it consists of sending IP datagrams with fake origin IP address, in the case of UDP based protocols it is specially easy, since they do not require connexion establishment. It could be mitigated by implementing the recommendations of BCP 38, which mainly consist of ensuring routers discard packets with source IP addresses that are obviously fake (the IP address can not be accessed on the interface the packet came in)
- Not blocking requests from unauthorized locations: recursive servers should only accept requests from IP addresses managed by the organization that controls the DNS server, and drop any other request.
Additionally kaminsky used the birthday attack to maximize the success probabilities, as it's detected in section 5 of RFC 5452.
These vulnerabilities will not be fully solved until the implementation of DNNSEC is complete, but it's been mitigated to the point of making it difficult to exploit with the implementation of random source ports.
This is my first real post an I hope you've liked it. I'll be back soon.
- Bernat's blog
- Login to post comments