On Thu, 6 Mar 2014, Dan York wrote:
Now, in this case the attackers compromised the local network devices and took over control of the local recursive resolvers. In this case of the attacker controlling the recursive resolver, I don't know that any of the various solutions thrown around today would do anything to help with this.
Run a local resolver and reconfigure it automatically (eg using dnssec-trigger and friends) to use the DHCP obtained DNS servers only as forwarders.
I don't even see DNSSEC helping much here, either, given that the attacker could just strip out the DNSSEC info (unless, perhaps, the home computers were running full (vs stub) recursive resolvers that also did DNSSEC-validation).
If the domains were signed, even if you used the rogue DNS as forwarder, you would at least notice you are under attack. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
