Security News > 2023 > January > Serious Security: How dEliBeRaTe tYpOs might imProVe DNS security

Serious Security: How dEliBeRaTe tYpOs might imProVe DNS security
2023-01-23 19:59

Test via a DNS server that was specially created to track and teach you about DNS traffic.

By default, DNS requests include a single "Identification tag", which is referred to in the DNS data-format documentation simply as ID. Amazingly, despite having received numerous updates and suggested improvements over the years, the official internet RFC document that acts as the DNS specification is still RFC 1035, dating all the way back to November 1987, just over 35 years ago!

There's a bit more that all decent DNS servers do to make hijacking difficult by default, at least since about 2008, when the late Dan Kaminsky pointed out that lots of DNS servers back then were not only configured to listen for incoming requests on a fixed UDP port.

Use port numbers as extra ID. These days, almost all UDP-based DNS servers listen on port 53, as always, but they keep track of the so-called "Source port" used by the DNS requester, which it expects to be chosen randomly.

There's yet another trick that DNS requesters can do, without changing the underlying DNS protocol, and thus without breaking anything.

We have successfully deployed it in some regions in North America, Europe and Asia protecting the majority of DNS queries in those regions not covered by DNS over TLS. Intriguingly, Google sugests that the main problems it has had with this simple and apparently uncontroversial tweak is that while most DNS servers are either consistently case-insensitive or consistently not, as you might expect.


News URL

https://nakedsecurity.sophos.com/2023/01/23/serious-security-how-deliberate-typos-might-improve-dns-security/