Re: Securing DNS traffic

[Sad Clouds <cryintothebluesky%gmail.com@localhost>]

On Fri, 22 May 2020 22:38:19 +0100
Sad Clouds <cryintothebluesky%gmail.com@localhost> wrote:

> It seems there are two main security enhancements for DNS:
> 
> 1. DNSSEC - digital signatures for DNS records to verify they haven't
> been tampered with.
> 
> 2. DNS over TLS - encryption of DNS traffic for privacy. This goes via
> port 853 and could be over TCP or UDP (DTLS), although it's not clear
> to me if both TCP and UDP are always supported, of if it's mainly TCP.

I've been doing some more research and came across this article on DNS
hijacking

https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html

Some of the techniques they describe seem to follow these steps:

1. DNS account is compromised and either A or NS records are changed to
   point to a bogus server.
2. User connects to "email.mydomain.com" which is sent to a bogus
   server that acts as a "man in the middle", collecting credentials
   and then forwarding everything to the real "email.mydomain.com"

I think TLS was designed to avoid "main in the middle" attacks, but it
seems in this case a bogus server is using its own "valid" TLS
certificate and then proxying connections to the real server.

I don't quite understand how this works. Is it the case of somebody
creating a second valid TLS certificate for "email.mydomain.com" in
order to masquerade as a genuine email server? So if different CAs can
issue such certificates, how do you mitigate such attacks? Isn't this a
flaw in the PKI design to have different CAs that can vouch for the same
domain?

Under the "Prevention Tactics" the article talks about "revoking
malicious certificates", but what tools/methods are there to tell you
which certificates are malicious?