secure dns with ssh?
dugan at passwall.com
Tue Dec 10 18:03:10 PST 2002
Since DNS uses UDP for much of its client-side communication without a
challange/response for verification of response, there is a security
risk for the IP address returned to you as part of a query, as not
*actually* coming from the DNS.
Why would this even matter?
There are still application layer protocols that rely upon DNS replies
for security. If the underlying security mechanism (DNS over UDP) can be
altered, then services that rely upon such services are at risk.
One example *can* be tcpwrappers if the admin has no reliable way to
avoid using hostnames/domainnames with wildcards for service based
access. (You can use /etc/hosts and specify by IP address instead, but
we can assume not everyone does this.)
Also, it has been possible to poison DNS caches for DNS run by
organizations with faulty resolution.
So, one solution is to only use a trusted DNS, and do you best to help
decrease risk of its cache-poisoning.)
(This does not even take into consideration rogue netoworks that set up
man in the middle attacks, to filter content on-the-fly so you "see"
XXXYYYZZ's sign-in page, but are actually submitting your data to an
intermediate server who then passes it on. YES, SSL, and SSH have much
to make these kinds of attacks useless, but many web systems set up user
authentication of plain-text or simple, unencrypted channels.)
I *think* error's desire is to ensure he can use a trusted DNS when a
member of an untrusted network.
Some suggestions for ways to implement this...
Set up a VPN and do most of your off-local-subnet traffic through the VPN,
IPSEC, Tunneled connections over more secure protocols (ssh, as error
Just some thought on this...
-----BEGIN GEEK CODE BLOCK-----
GCS/CM$/IT$/LS$/S/O$ !d--( ) !s !a (-----) C $( ) U $( $) P $>
L $( ) E W $( ) N o K w $> > O-@ M $ V-$>- !PS !PE Y PGP
t at -( ) 5 @ X@ R- tv- b DI D G--@ e > > h( )> r*>? z?
------END GEEK CODE BLOCK------
decode: http://www.ebb.org/ungeek/ about:
> I don't have an answer for you, but I do wonder why you would want to
> do this. Seems kinda silly.
> On Tue, Dec 10, 2002 at 01:52:30PM -0800, error wrote:
>> What would be the best way to have my dns requests secured?
>> I want to have all my dns requests tunneled over either ssl or ssh.
>> I have control of a host off of the network that I can tunnel to.
>> Any ideas?
>> error <error at sonic.net>
> "Knowing others is wisdom, knowing your self is Enlightenment."
> -- Lao-Tzu
More information about the talk