3 comments

[ 1.7 ms ] story [ 23.1 ms ] thread
During my training, I spent about three months helping with a BIND4 to BIND9 migration. As the migration was the result of a security audit, security obviously must have been a top priority, or else they would not have let a trainee do it. ;-)

But I had plenty of time to learn much about DNS security and all (okay: some of) the ways it can be subverted. (A year later I met a member of the team where I had done this, and he told me he still keeps a copy of the report I had written on his desk as a reference. That made me very happy.)

Since then, I did not have much contact with DNS, except that I have run my own DNS resolver ever since. But I forgot most of what I had learned.

So, I kind of wonder, has the state of DNS security improved in the last 13 years? I remember DNSSEC was not widely deployed back then, and that it was kind of pointless, because none of the clients could be bothered to check DNSSEC signatures. I imagine it it is now more widely deployed, and I suspect clients still do not give a ____ about DNSSEC. Have I missed something?

Since the DNS protocol itself has nothing in terms of security, privacy, authentication, and given that previous versions of BIND (I do not know about the current ones) had bugs crawling all over them, I have wondered a couple of times, why this is not used more commonly as an attack vector. Or is it?

Can someone recommend a resource for learning about this?