Apparently there’s a “massive” attack against DNS infrastructure underway in Brazil. Much of the initial reporting refers to the attack as cache poisoning, though Rod Rasmussen correctly points out that it’s not “classic cache poisoning”: the culprits allegedly worked at a Brazilian ISP and used default passwords to change the DNS settingson customer premises equipment, and modified the configurations of the ISP’s recursive name servers to direct customers to bogus sites. (“Classic” cache poisoning attacks, of course, require no such special access to resolver or name server configuration to carry out.)
Besides raising the upsetting specter of collusion by the employees of ISPs, this threat brings us back to DNSSEC’s “last mile” problem. While this would seem like a textbook example of the kind of threat DNSSEC should protect against, in fact DNSSEC wouldn’t have been much help to most of the ISP’s subscribers. Without a secure channel between a stub resolver, like the one on the laptop I’m typing on, and the local recursive name server, there’s no foolproof way of determining that your name server has been replaced.
Even if the channel between the stub resolver and the recursive name server is secure, if you can’t trust the name server on the other end, you’re sunk. Stub resolversrely on their local recursive name server to perform DNSSEC validation in most cases. So my Mac is at the mercy of the recursive name server this Parisian hotel’s WiFi network uses (wherever that is). If the name server claims to have validated a set of resource records using DNSSEC, my laptop believes it. If the ISP operating that name server tampers with its configuration to send bogus responses, I’ll believe that’s valid data.
The only way DNSSEC could have helped the victims of the attack, in fact, is if they’d run their own validating name server locally, or if they’d used a set of recursive name servers provided by someone other than the ISP through a secure channel. And not many subscribers are technically adept enough to do either.
Maybe it’s worth considering embedding a simple validating recursive name server in most operating systems so we aren’t forced to rely on our ISPs to protect us. Most modern computers have the resources to support a name server. (Heck, some phones probably have the resources.) The real burden, in my opinion, is the hassle of administering it.
