NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Securing DNS traffic

On Fri, 22 May 2020 22:38:19 +0100
Sad Clouds <> wrote:

> It seems there are two main security enhancements for DNS:
> 1. DNSSEC - digital signatures for DNS records to verify they haven't
> been tampered with.
> 2. DNS over TLS - encryption of DNS traffic for privacy. This goes via
> port 853 and could be over TCP or UDP (DTLS), although it's not clear
> to me if both TCP and UDP are always supported, of if it's mainly TCP.

I've been doing some more research and came across this article on DNS

Some of the techniques they describe seem to follow these steps:

1. DNS account is compromised and either A or NS records are changed to
   point to a bogus server.
2. User connects to "" which is sent to a bogus
   server that acts as a "man in the middle", collecting credentials
   and then forwarding everything to the real ""

I think TLS was designed to avoid "main in the middle" attacks, but it
seems in this case a bogus server is using its own "valid" TLS
certificate and then proxying connections to the real server.

I don't quite understand how this works. Is it the case of somebody
creating a second valid TLS certificate for "" in
order to masquerade as a genuine email server? So if different CAs can
issue such certificates, how do you mitigate such attacks? Isn't this a
flaw in the PKI design to have different CAs that can vouch for the same

Under the "Prevention Tactics" the article talks about "revoking
malicious certificates", but what tools/methods are there to tell you
which certificates are malicious?

Home | Main Index | Thread Index | Old Index