Re: Is DNSSEC supported by Windows?
- From: "Steve Riley [MSFT]" <steve.riley@xxxxxxxxxxxxx>
- Date: Tue, 26 Aug 2008 20:36:42 -0700
Cache poisoning is only a means to an end. The attacker's _real_ goal is to get you on his server rather than the one you actually want. So ensuring authenticity of the legitimate server is the proper defense here, rather than worrying about the plumbing. And we can accomplish that today with SSL and IPsec.
--
Steve Riley
steve.riley@xxxxxxxxxxxxx
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com
"FromTheRafters" <erratic@xxxxxxxxx> wrote in message news:er3ykC#BJHA.1228@xxxxxxxxxxxxxxxxxxxxxxx
Yeah, it is important. Akin to the way you should get.
programs only from trusted sources. But how can
anyone verify the validity of the data returned? AV
is in place to stopgap the bad information from trusted
source issue when programs are the concern, do you
think it is completely unnecessary to stopgap the same
sort of thing for poisoned DNS data?
Sure, if DNS poisoning is not very common, then there
is little risk - and crypto is like a 12gauge flyswatter.
"Steve Riley [MSFT]" <steve.riley@xxxxxxxxxxxxx> wrote in message news:840985B2-477A-4757-BBC2-852DD7EBDEF1@xxxxxxxxxxxxxxxxSigned name resolution records won't address those issues.
Say you want to connect to WebServerA. Say you want a way to be assured that you are, indeed, connecting to WebServerA, not some imposter. Well, there already exists a mechanism to do that: SSL. SSL authenticates the server to your computer, because your computer trusts the organization that issued the server's certificate.
Say you want to connect to FileServerB. Say you want a way to be assured that you are, indeed, connecting to FileServerB, not some imposter. Well, there already exists a mechanism to do that: IPsec. IPsec authenticates the server to your computer (and your computer to the server), because both the server and your computer trust the issuers of their respective certificates.
See, this is really what matters. Spoofing DNS is a useless attack if the servers are protected by SSL or IPsec. Bolting cryptography onto DNS will be monumentally expensive to deploy across the Internet and doesn't address the real question. DNSSEC answers this question: "Can I trust the answer given to my name resolution request?" Yet the more important question is "Can I trust that I'm going to the right server?" And this question is already answered by SSL and IPsec.
--
Steve Riley
steve.riley@xxxxxxxxxxxxx
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com
"Dan" <Dan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:0A907A01-2DC6-4A22-B075-F2DE8C4BBABA@xxxxxxxxxxxxxxxxHow about the problems on web sites with errors about missing scripts and
lost objects and other stuff?
"Steve Riley [MSFT]" wrote:
What problem can you solve with DNSSEC that is not already solved with IPsec
or SSL?
--
Steve Riley
steve.riley@xxxxxxxxxxxxx
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com
"Dan" <Dan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7571D3C3-6A37-47E9-A937-CD6B198B400B@xxxxxxxxxxxxxxxx
> Will DNSSEC be fully supported in future versions of Windows, Steve? > In
> addition, will any current versions of Windows be updated to fully > support
> it
> via cryptography, authentication and/or verification, Steve including > but
> not
> limited to Windows Server 2003?
>
> "Steve Riley [MSFT]" wrote:
>
>> Clarification. There is _limited_ support: Windows Server 2003 DNS >> can
>> act
>> as a secondary DNS server for an existing DNSSEC-compliant zone. >> Windows
>> clients will cache DNSSEC resource records, but perform no >> cryptography,
>> authentication, or verification.
>>
>> More information here:
>> http://technet.microsoft.com/en-us/library/cc728328.aspx
>>
>> -- >> Steve Riley
>> steve.riley@xxxxxxxxxxxxx
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com
>>
>>
>>
>> "Steve Riley [MSFT]" <steve.riley@xxxxxxxxxxxxx> wrote in message
>> news:5CCD3A14-68B3-471F-9328-D1ED272FD113@xxxxxxxxxxxxxxxx
>> > No, DNSSEC isn't supported in any version of Windows.
>> >
>> > -- >> > Steve Riley
>> > steve.riley@xxxxxxxxxxxxx
>> > http://blogs.technet.com/steriley
>> > http://www.protectyourwindowsnetwork.com
>> >
>> >
>> >
>> > "totojepast" <totojepast@xxxxxxxxx> wrote in message
>> > news:4cdf919f-4cba-4940-aead-fb1d460c0fbe@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>> >> Is the Windows XP DNS resolver able to check the validity of the >> >> DNS
>> >> data using DNSSEC? Is this feature turned on by default?
>> >>
>> >> And does the Windows Server support DNSSEC for publishing the >> >> public
>> >> DNS records?
>> >
- Follow-Ups:
- Re: Is DNSSEC supported by Windows?
- From: FromTheRafters
- Re: Is DNSSEC supported by Windows?
- References:
- Re: Is DNSSEC supported by Windows?
- From: Steve Riley [MSFT]
- Re: Is DNSSEC supported by Windows?
- From: Dan
- Re: Is DNSSEC supported by Windows?
- From: Dan
- Re: Is DNSSEC supported by Windows?
- From: FromTheRafters
- Re: Is DNSSEC supported by Windows?
- Prev by Date: Re: Best Malware Remover (Antispy/Antivirus)
- Next by Date: Re: Is DNSSEC supported by Windows?
- Previous by thread: Re: Is DNSSEC supported by Windows?
- Next by thread: Re: Is DNSSEC supported by Windows?
- Index(es):
Relevant Pages
|
