Friday, June 15, 2012

Secure DNS - what's a home-user to do?!

I find DNS a very interesting (how often do you hear that?!). When I was doing my degree in the mid-80s there was no such thing and you routinely updated you hosts file every few weeks from a master file stored at Sheffield University Computer Science dept. However - my faculty was very IP-aware (even then) and so we were running an early BIND server when I graduated and so I was at least aware of DNS before it became a big deal on the Internet.

DNS is an inherently insecure protocol for the following reasons;
  • It runs over UDP/IP and so doesn't require the 3-way TCP handshake - it's easy to spoof IPs
  • It's unencrypted
  • It doesn't require any kind of authentication and so man-in-the-middle attacks are possible
  • Problems with the protocol itself (i.e. independent of implementation) allow things like DNS cache poisoning (read up about the Kaminsky vulnerability from a couple of years ago).
I've used OpenDNS for several years and it's an excellent service that offers so much more than my ISP's DNS servers. Those guys have recently launched DNSCrypt which is a secure client for Mac or Windows that allow DNS look-up that avoids all the problems above.

No comments: