[ga] Re: [Gnso-liaison] DNS Server Survey Reveals Mixed Security Picture

[Peter Dambier <peter@xxxxxxxxxxxxxxxx>]

I am afraid DNS security is just a means to introduce censorship into DNS.

Gouvernements and ISPs used to tweak their resolvers to tell you
they were google.com or c*ildpo*n.com depending on the continent
they were living.

Now somebody else wants to force control from the root down to
the resolvers so only a single point in the DNS tree has control
to introduce censoring wherever he likes. We no longer have a
centralised but delegated DNS, now we have a single point of failure.

Alternative DNS would be impossible with DNS security.

What is it good for?


Windows is known to have the only DNS resolver that does even
cache used horseshoes thrown at it. E.g. you can use NetBIOS
packets to override DNS.


Bind 8 has replaced Bind 4.
Bind 9 has replaced Bind 8.

There are still security relevant patches in Bind.


I have never seen a security relevant patch for djbdns.
djbdns is a old as Bind 4.
djbdns does not even use DNS security and still you
never could cachepoison djbdns.


Mostly you get a NAT-router between your windows box
and the internet. Those Nat-routers can cook tea and boil eggs.
E.g. they have builtin DNS resolvers that are fast but even
more dangerous than windows DNS.

I have never seen a NAT-router of the SoHo family that knows
about DNS security. Neither does windows.


So it is only people with a networkmanager who care about
DNS security. Those people could run djbdns just as easyly
and would really be secure without waiting for the next plus one
issue of DNS security.


Kind regards
Peter and Karin Dambier


jwkckid1@xxxxxxxxxxxxx wrote:
> All,
>
>   It appears that others in the security business are
> also very concerned about DNS security or the increasing
> lack there of.
>
> The word on the latest annual survey of the state of DNS on the Net. 
> The survey, commissioned by infrastructure appliance vendor Infoblox, 
> found that the use of Windows DNS Server in Internet-facing 
> applications has fallen off dramatically as more users act on 
> concerns about security. BIND 9, the latest version, gained against 
> earlier, less secure versions. But in other dimensions, DNS practices 
> showed little improvement from a security point of view. Hardly
> anyone is using DNSSEC; and 31% of nameservers allow promiscuous zone
> transfers, a number little changed from last year. Here's a video
> http://www.techworld.com/video/popupCricketVideo.cfm of an
> interview with Infoblox's chief architect Cricket Liu on the state of
> DNS.
>
> Other links:
>      http://www.techworld.com/networking/news/index.cfm?newsid=10690
>      http://dns.measurement-factory.com/surveys/200710.html
>      
> Regards,
> Jeffrey A. Williams
> Spokesman for INEGroup LLA. - (Over 277k members/stakeholders strong!)
> "Obedience of the law is the greatest freedom" -
>    Abraham Lincoln
>
> "Credit should go with the performance of duty and not with what is very
> often the accident of glory" - Theodore Roosevelt
>
> "If the probability be called P; the injury, L; and the burden, B; liability
> depends upon whether B is less than L multiplied by
> P: i.e., whether B is less than PL."
> United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
> ===============================================================
> Updated 1/26/04
> ABA member in good standing member ID 01257402 E-Mail jwkckid1@xxxxxxxxxxxxx
> Phone: 214-244-4827
>
>
> _______________________________________________
> Gnso-liaison mailing list
> Gnso-liaison@xxxxxxxxxxxxxxxxxxxxxxx
> http://atlarge-lists.icann.org/mailman/listinfo/gnso-liaison_atlarge-lists.icann.org

--
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher Strasse 16
D-69509 Moerlenbach-Bonsweiher
+49(6209)795-816 (Telekom)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter@xxxxxxxxxxxxxxxx
mail: peter@xxxxxxxxxxxx.pirates
http://www.cesidianroot.com/
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/