Re: _DNS_ security problems

• To: Irving Reid <irving@border.com>
• Subject: Re: _DNS_ security problems
• From: Dan Stromberg <strombrg@test34a.acs.uci.edu>
• Date: Mon, 26 Feb 1996 11:01:50 -0800
• CC: Bob Denny <rdenny@dc3.com>, Dan Stromberg <strombrg@test34a.acs.uci.edu>, EKR <ekr@terisa.com>, www-security@ns2.rutgers.edu, ekr@itech.terisa.com, smb@research.att.com
• References: <96Feb26.125556est.20481-2@janus.border.com>

Irving Reid wrote:
> 
> >  On Feb 25, Dan Stromberg <strombrg@test34a.acs.uci.edu> wrote:
> >  > Subject: _DNS_ security problems
> >
> >  Yes, this is a topic for the bind list. I disagree that the solution lies in
> >  modifying DNS, which works very well for its intended purpose, and not very
> >  well as a secure identification mechanism (sometning is was _not_ designed to
> >  do). The protection, in my opinion, needs to be at a higher level. IMHO.
> >
> >  In any case, couldn't Java do a getpeername() on the socket used to grab the
> >  'master' class? Then it could use the peer IP address as the source host,
> >  refusing to load from or connect to any other IP address.
> 
> This fails in the face of web proxies; the address you connect to (and
> thus the result of getpeername()) is usually your proxy, not the
> applet's home.

Good point.

At this time, I'm not convinced there is a way of making this truly
secure, given existing practice around the net - without extra protocol.

>From least to greatest change, and least to greatest preference, it
seems that one might try:

1) pass a name of the remote host over the connection, gethostbyname on
that, and gethostbyaddr on the (potentially multiple) results of that 

2) It may be worth considering a separate daemon, or extension to http,
that says "I'm willing to accept 'phone home' from these hosts".  In the
scenario where a hacker's website tries to tell a netscape client to
attack another host, the hacker's website would have the access control
turned on, but the attacked machine would (in general) not.  This
permission could perhaps be turned on by httpd itself, or by a user's
manual control.

3) press for a DNS security scheme that would obviate the need for the
extra database lookups - and make DNS data assuredly safe in the first
place.  One shouldn't be able to publish IP addresses one hasn't been 
assigned.  It's convenient to able to do so sometimes, and there is a
limited amount of existing practice that depends on it, but not enough
to justify preserving a weak system.

• Re: _DNS_ security problems
• From: "Irving Reid" <irving@border.com>

• Previous: Re: _DNS_ security problems
• Next: Re: _DNS_ security problems
• Index(es):
  • Index
  • Thread