Dan, I guess you have to separate the problem of compromising device with the case where we are looking for only confidentiality or privacy. IMHO, this is somewhat out of scope.
However, we cannot ignore it. In this special case, just the admin of that recursive resolver needs to react to that attack and without that nobody can understand what's going on there but the important thing is how to re-establish the trust with all the other recursive resolvers that already used that node. I think this is important because it might not be clear how many nodes already used this resolver but for the first case you can do nothing except waiting for immediate action of rescue team. Hosnieh From: DNSOP [mailto:dnsop-boun...@ietf.org] On Behalf Of Dan York Sent: Friday, March 07, 2014 12:10 AM To: dnsop@ietf.org Subject: [DNSOP] DNS privacy and Team Cymru's report on 300, 000 SOHO routers with compromised DNS settings DNSOP members, Given our session today talking about protecting DNS privacy, I found an interesting bit of synchronicity upon going back to my room and seeing this article in my feeds about a compromise of at least 300,000 small office / home office (SOHO) home routers by a variety of attacks in which their DNS server values were changed and consumers were redirected to other pages as a result: http://www.circleid.com/posts/widespread_compromised_routers_discovered_with _altered_dns_configurations/ (and http://www.circleid.com/posts/20140305_dynamic_dns_customers_check_your_rout er_settings/ ) The actual report from Team Cymru was announced just this past Monday - https://twitter.com/teamcymru/status/440488571666198528 and is available at: https://www.team-cymru.com/ReadingRoom/Whitepapers/2013/TeamCymruSOHOPharmin g.pdf Now, in this case the attackers compromised the local network devices and took over control of the local recursive resolvers. In this case of the attacker controlling the recursive resolver, I don't know that any of the various solutions thrown around today would do anything to help with this. I don't even see DNSSEC helping much here, either, given that the attacker could just strip out the DNSSEC info (unless, perhaps, the home computers were running full (vs stub) recursive resolvers that also did DNSSEC-validation). I just thought it was an interesting example of a type of attack against DNS that is out there now. Dan -- Dan York Senior Content Strategist, Internet Society y...@isoc.org <mailto:y...@isoc.org> +1-802-735-1624 Jabber: y...@jabber.isoc.org <mailto:y...@jabber.isoc.org> Skype: danyork http://twitter.com/danyork http://www.internetsociety.org/deploy360/
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
