Security Basics mailing list archives
Re: opened DNS servers = danger ?
From: "Saqib Ali" <docbook.xml () gmail com>
Date: Thu, 7 Dec 2006 09:37:03 -0500
strong mutual authentication is not easy to implement, especially if you have large diverse user base. the other option is option is to use "weak" mutual authentication which does the the job most of the time, and is easy to implement. BofA uses "Passmark Sitekey" for weak mutual authentication. See http://www.bankofamerica.com/privacy/sitekey/ for more info saqib http://www.full-disk-encryption.net On 12/5/06, Nick Owen <nickowen () mindspring com> wrote:
Norbert: There are a *lot* of DNS servers (mis)configured to allow recursive name services - where the server will accept the DNS info for a site from another name server. This allows a malicious DNS server to 'poison' the cache on that server. If this cache is upstream from you, then even if you enter www.banksite.com, you will be directed to the fake site. The solution for this is strong mutual authentication: http://en.wikipedia.org/wiki/Mutual_authentication, where both the user and the server are strongly authenticated. Think of SSH as an example. Nick Norbert François wrote: > I was surfing, and I found a page where you can download a descent > list of (recursive) opened dns. Then, I've 2 questions: > > -> what means "opened" dns ? 'cause when I travel, I'm still > (sometimes I don't know the dns of the current isp) using my isp's dns > (even if my IP doesn't belong to my ISP). > > -> What's the danger of an opened dns ? How to protect ? Is it > dangerous for the end-user ? -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication https://www.linkedin.com/in/nickowen --------------------------------------------------------------------------- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect ---------------------------------------------------------------------------
-- Saqib Ali, CISSP, ISSAP http://www.full-disk-encryption.net --------------------------------------------------------------------------- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect ---------------------------------------------------------------------------
Current thread:
- opened DNS servers = danger ? Norbert François (Dec 04)
- Re: opened DNS servers = danger ? Nick Owen (Dec 06)
- Re: opened DNS servers = danger ? Gouki (Dec 07)
- Re: opened DNS servers = danger ? Saqib Ali (Dec 07)
- Re: opened DNS servers = danger ? Nick Owen (Dec 06)