Sat, 6 Feb 2010

11:57 AM - DNS and DNSSEC

About ten years ago, dnssec was invented to deal with a problem plaguing the Internet.  There is no trust in the DNS system.  

Background

Many people might have heard the term DNS, but never thought about what it is.  DNS, or the Domain Name System, is the process by which a domain name like midnightbsd.org is translated into an IP address 70.91.226.201.  Without this system, one would need to type in IP addresses to access websites, send email, or chat online. 

The system was invented at a simpler time when people trusted each other on the Internet.  This was before worms, massive spam, or websites.  

Today, many people try to impersonate others on the Internet or worse yet, their websites.  You could create a DNS poisoning attack so that a user accessing a DNS server to lookup google.com is redirected to a fake site.  This site could log information and pass requests to the real google.com through a proxy.  The user may never know the difference.  

Systems like DNSSEC validate DNS queries by a trust relationship.

Using DNSSEC

Individuals don't need to do much to use DNSSEC aside from purchasing updated software.  Windows 7 had DNSSEC on it's list of new features (not confirmed it was added in final builds).  The client (your computer) must be able to understand DNSSEC queries for it to be of any use.  Otherwise, it is simply ignored.  

System administrators must enable DNSSEC on their DNS servers (resolvers) as well as on zones to get the full benefit.  You can think of a zone as a domain name.  Things can be further divided into sub zones such as .com vs midnightbsd.org.  

Enabling DNSSEC on BIND 9.4+ resolvers

In options: 

        dnssec-enable yes;

        dnssec-validation yes;

        dnssec-lookaside "." trust-anchor "DLV.ISC.ORG";

...
trusted-keys {
        dlv.isc.org. 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2F
ZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9
IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
};
 
Further Reading
 
 
 
 
 


tags: security dnssec bind dns named

()

Sat, 25 Sep 2010

6:32 PM - Advertising in software

Today, I got an ad from my antivirus software for a useless utility product.  I hate ads in software I have purchased.  I can deal with it in games when it's product placement to a degree to cover costs like servers for multiplayer.  However, when I bought antivirus software from a SECURITY company, I expect it to be free of bullshit.  

My product expires in October so I'm going to try out the free Microsoft security essentials software then instead of buying an AV program.  I haven't found one virus the entire year which means either I'm at a low thread level or the software didn't work.  Either way, I don't see the point of spending $50 to protect our 3 inferior Windows boxes. 

tags: lack spam sucks av ads security

()

Thu, 30 Sep 2010

Thu, 28 Oct 2010