What to do about DNS?
Posted Apr 12, 2007 19:24 UTC (Thu) by mmarsh
In reply to: What to do about DNS?
Parent article: What to do about DNS?
These are, to an extent, separate problems. Having good host keys lets you know if someone is trying to spoof you. A spoof through DNS cache poisoning is either a penetration (of sorts) if you don't detect the spoof, or a denial of service if you do. DNSSEC tries to prevent the denial of service scenario by not directing you to bogus sites. Granted, there's still the spoofed traffic problem, but it requires the attacker to be close (in the network) to either the target server or the target client, and potentially requires capturing a lot of packets. This is a much higher bar than injecting a bogus DNS entry.
to post comments)