Archiv: DNS (Domain Name System)

08.01.2021 - 23:32 [ ]

Spoofing: Neue DNS-Angriffsmethode entdeckt

(13. November 2020)

Nachdem der Quellport de-randomisiert worden sei, sei es möglich gewesen, eine böswillige IP-Adresse einzuschleusen und so erfolgreich einen DNS-Cache-Poisoning-Angriff durchzuführen. Die Details haben die Forscher im Paper „DNS Cache Poisoning Attack Reloaded: Revolutions with Side Channels“ publiziert.

Weitere Experimente unter realistischen Serverkonfigurationen und Netzwerkbedingungen würden zudem zeigen, dass ihre grundlegende Methode leicht an das gesamte DNS-System angepasst werden könnte.

08.01.2021 - 23:04 [ ]

SAD Reality for DNS

The researchers determined that 35% of open resolvers are open to the attack, as well as four of six home routers made by well-known brands.

They also found that 12 of 14 popular public resolvers (now 11—Cloudflare says they’ve corrected their systems) are susceptible. Even a patched DNS server could be made vulnerable by an unpatched or misconfigured NAT gateway.

Their 19-page paper on the exploit includes lists of devices and services tested. They have since set up a SAD DNS website featuring a Q&A and a tool that anyone can use to determine whether their DNS is vulnerable.

The flaw is being tracked as CVE-2020-25705, and affects Linux 3.18 – 5.10, Windows Server 2019 version 1809 and newer, macOS 10.15 and newer, and FreeBSD 12.1.0 and newer. The researchers did not test earlier versions of the listed operating system.

18.12.2020 - 21:38 [ ]

Microsoft unleashes ‘Death Star’ on SolarWinds hackers in extraordinary response to breach

In the end, this all reminds us how much power Microsoft has at its disposal. Between its control of the Windows operating system, its robust legal team, and its position in the industry, it has the power to change the world nearly overnight if it wants to. And when it chooses to train that power on an adversary, it really is the equivalent of the Death Star: able to completely destroy a planet in a single blast.

18.12.2020 - 21:36 [ ]

Domain name sinkholes and those funky domain registrations

(September 2018)

A sinkhole redirects or blocks traffic meant for a destination. They are used by the security community to stop botnet traffic, phishing and other bad activity.

There are many ways to create a sinkhole. An ISP can simply divert traffic from the IP address nameserver you see in Whois to another. A company (or the government) can also go through the courts to get control of a domain name and then change its nameservers.

18.12.2020 - 21:28 [ ]

Microsoft and industry partners seize key domain used in SolarWinds hack


According to analysis from security firm FireEye, the C&C domain would reply with a DNS response that contained a CNAME field with information on another domain from where the SUNBURST malware would obtain further instructions and additional payloads to execute on an infected company’s network.

27.11.2020 - 17:47 [ Internet Corporation for Assigned Names and Numbers (ICANN) ]

DNSSEC – What Is It and Why Is It Important?

DNS data for a domain is called a zone. Some organizations operate their own name servers to publish their zones, but usually organizations outsource this function to third parties. There are different types of organizations that host DNS zones on behalf of others, including registrars, registries, web hosting companies, network server providers, just to name a few.

DNS by itself is not secure

DNS was designed in the 1980s when the Internet was much smaller, and security was not a primary consideration in its design. As a result, when a recursive resolver sends a query to an authoritative name server, the resolver has no way to verify the authenticity of the response.

27.11.2020 - 17:36 [ Internet Corporation for Assigned Names and Numbers (ICANN) ]

DNSSEC Schutz für das Internet

DNSSEC ist ein Protokoll, das gegenwärtig zur Sicherung des Domain-namensystems (DNS), also dem weltweiten Telefonbuch des Internets, implementiert wird. Normale Benutzer rufen Internetserver lieber mithilfe konkreter Bezeichnungen auf (beispielsweise – hinter den Kulissen jedoch bildet das DNS jeden Namen auf eine numerische Adresse ab, um die Daten an das korrekte Gerät zu übertragen. DNSSEC ist die Abkürzung für „DNS Security Extensions“, also DNS-Sicherheitserweiterungen. DNSSEC ergänzt das DNS um Sicherheits-funktionen, indem eine Verschlüsselungsmethodik basierend auf öffentlichen Schlüsseln in die DNS-Hierarchie integriert wird. Dadurch entsteht eine einzelne, offene und globale Public-Key-Infrastruktur (PKI) für Domainnamen. Dies ist das Ergebnis einer mehr als zehnjährigen Entwicklung offener Standards innerhalb der Nutzergemeinschaft.

27.11.2020 - 16:36 [ ZDNetcom ]

DNS-over-HTTPS causes more problems than it solves, experts say


The response to DoH’s anointment as a major privacy-preserving solution has been downright acid, in some cases. Critics have taken a jab at the protocol on different plains, which we’ll try to organize and categorize below:

– DoH doesn’t actually prevent ISPs user tracking
– DoH creates havoc in the enterprise sector
– DoH weakens cyber-security
– DoH helps criminals
– DoH shouldn’t be recommended to dissidents
– DoH centralizes DNS traffic at a few DoH resolvers

27.11.2020 - 16:35 [ ]

Mozilla enables DOH by default for all Firefox users in the US


Circa 2015, engineers at Cloudflare and Mozilla joined forces to create DNS-over-HTTPS, as a way to hide DNS queries using encryption.

27.11.2020 - 16:28 [ ]

Disappearing DNS: DoT and DoH, Where one Letter Makes a Great Difference


Obviously, time will tell if DoT continues to prevail or whether DoH will start to gain ground. As mentioned at the beginning of the article there is a hot debate going on right now about the direction the Internet industry should take. Suffice to say that even nation state authorities are involved in the debate, which speaks to the level and importance of the discussion.

27.11.2020 - 15:53 [ ]

DNS over TLS FritzBox aktivieren

DoT ist letztlich nur ein weiterer Schritt die Privatsphäre zu schützen. Diese Technik verschlüsselt nur die Strecke vom heimischen Router bis hin zum Resolver des Anbieters.

27.11.2020 - 15:45 [ ]

Fritzbox und DNS-Verschlüsselung: Analyse mit Wireshark


Alle Geräte, die Internet-fähig sind, ermitteln mit DNS-Anfragen die IP-Adressen von Servern, um diese ansprechen zu können. Das ist etwa der Fall, wenn ein Browser die Domain ansteuert – der konfigurierte DNS-Resolver, meist der des Providers, liefert dann die IP-Adresse Diese ruft dann der Browser auf, um eine HTTP-Verbindung zum Server aufzubauen. Weil die Geräte solche Anfragen unverschlüsselt und täglich vielfach an Resolver versenden, können fremde Nachrichtendienste oder Spione Profile von Nutzern erstellen.

27.11.2020 - 14:49 [ ]

DoT servers

Oct 2020: The list below has been updated to retain only those servers that appear to still be actively maintained

27.11.2020 - 14:43 [ ]

Was ist DNS over TLS (DoT)?

DNS over TLS (DoT) ist ein Protokoll zur verschlüsselten Übertragung der DNS-Namensauflösung. DNS-Anfragen und DNS-Antworten sind dadurch vor dem unbefugten Mitlesen und vor Manipulationen geschützt.

27.11.2020 - 14:38 [ ]

Public DNS Servers by country

Download valid nameservers as CSV | Plaintext

27.11.2020 - 14:36 [ ]

DNS-Server einrichten – eine Anleitung

Ihren DNS-Server können Sie ganz leicht einrichten.

27.11.2020 - 14:25 [ ]

DNS leak test

Hello (…)

from (…)

27.11.2020 - 14:13 [ ]

Was ist ein Domain Name System (DNS)?

Ein Domain Name System (DNS) ist wie ein Telefonbuch für das Internet. Darin sind Domainnamen (das ist der Teil einer Web-Adresse, der nach dem „www.“ kommt) und eine lange, der jeweiligen Website zugeordnete Zahlenfolge (eine sogenannte „IP-Adresse“) verzeichnet.

Ohne DNS-Services müssten Sie jedes Mal eine komplizierte Zeichenfolge wie zum Beispiel eingeben, um eine bestimmte Website zu besuchen. Stattdessen können Sie einfach einen Website-Namen eingeben, der wesentlich leichter zu merken ist.

12.11.2019 - 16:59 [ Techdirt ]

Mozilla: ISPs Are Lying About Encrypted DNS, Should Have Privacy Practices Investigated

The effort would effectively let Chrome and Mozilla users opt in to DNS encryption — making your browser data more secure from spying and monetization — assuming your DNS provider supports it. Needless to day, telecom giants that have made billions of dollars monetizing your every online behavior for decades now (and routinely lying about it) don’t much like that.

As a result, Comcast, AT&T, and others have been trying to demonize the Google and Mozilla efforts any way they can,

01.06.2019 - 14:26 [ reddit ]

Government officials admit they can’t enforce a planned ‚porn block law‘ in the UK because of DNS encryption

The UK wants everyone to hand over their personal details to get „age verified“ before looking at adult content… but an official has now admitted it could be almost unenforceable due to the rollout of DNS encryption on Firefox and maybe Chrome.