nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DNS Hijacking by Cox

From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: Sun, 22 Jul 2007 21:46:19 -0400

On Sun, 22 Jul 2007 21:40:05 -0400
"Patrick W. Gilmore" <patrick () ianai net> wrote:



On Jul 22, 2007, at 9:29 PM, Steven M. Bellovin wrote:

On Sun, 22 Jul 2007 14:56:13 -0700
"Andrew Matthews" <exstatica () gmail com> wrote:


It looks like cox is hijacking dns for irc servers.


And people wonder why I support DNSsec....


Steve,

One of us is confused.  It might be me, but right now I think it's
you.

To be clear, here is the situation as I understand it: Cox has
configured their recursive name servers such that when an end user
queries the recursive server for a specific host name (names?), the
recursive server responds with an IP address the host's owner did not
configure.

How exactly is DNSSEC going to stop them from doing this?


If my host expects the response to be signed and it isn't, my host can
scream bloody murder.  The whole point of DNSSEC is to prevent random
changes to DNS replies, whether by hackers or by ISPs.

Yes, they can change it, but they can't change it without being caught.


                --Steve Bellovin, http://www.cs.columbia.edu/~smb
Previous By Date Next
Previous By Thread Next

Current thread: