Category: DNSSEC

Paper Notes: Redirecting DNS for Ads and Profit

Redirecting DNS for Ads and Profit is one of the collection of papers from the ICSI team, with the results from the Netalyzr, network diagnosis tool. This paper focuses on the 66K session traces where DNS error traffic has been monetization and calls out Paxfire, for their role in this area, the paper focuses on NXDOMAIN wildcarding and search engine Read More

Middleboxes considered harmful: DNS Edition

This article is brief overview of how middleboxes interact with DNS traffic. In particular I’m interested in finding out the answers to the following: Will middleboxes drop/modify DNS traffic and what is the purpose of this: stopping abuse, security, buggy implementations, advertising or censorship? Therefore does using your own stub resolver and recursive nameserver free you Read More

Comcast blocking NASA.gov

Today, people love to hate their ISPs, they have a public image problem. A great example of this when Comcast apparently blocking NASA’s website in 2012. In fact, Comcast was the only major US ISP to be using DNSSEC validating resolvers thus where the only ones affected when NASA’s website failed to properly sign their DNS responses. Read More

Video: An overview of secure name resolution [29c3]

Here is an excellent talk by Matthäus Wander, introducing DNSSEC, DNSCurve and few other DNS extensions.   A few points of interest: stub resolvers need new API’s to report DNSSEC validation failures, then browsers can provides users with “TLS like” failure messages AD flag is useless as there is no validation, yet windows 7/8 still read Read More

Lack of Love for DNSSEC

It’s more than two years since I wrote my introduction to DNSSEC and the internet is let to open its loving arms to DNSSEC and DANE. Don’t just trust my work for it: http://sockpuppet.org/blog/2015/01/15/against-dnssec/ http://sockpuppet.org/stuff/dnssec-qa.html https://www.imperialviolet.org/2015/01/17/notdane.html Thanks to Hannes for originally bringing these articles to my attention Read More

DNSSEC – A basic Intro

This article aims to not just explain how DNSSEC work but why the protocols are designed the way that they are. I will begin with a simple mental model of public-key cryptography, then I highlight issues with scheme described so far and add complexity to fix issues as I highlight them. I finish the article Read More