[clug] April 2018 CLUG Meeting

Robert Edwards bob at cs.anu.edu.au
Sat Apr 28 08:57:20 UTC 2018


On 27/04/2018 5:46 pm, Scott Ferguson via linux wrote:
>
>
> On 27/04/18 15:45, Keith Goggin via linux wrote:
>> Thanks to Geoff Huson for his excellent 'Web Security Primer' last night.
>>
>> I know 'an' IP address of my bank and if every thing I needed was at
>> that address I'm guessing I'd be safe.
>
> As has been pointed out already - IP addresses can change (though banks
> rarely do so), however, more importantly, IP addresses can be spoofed
> (BPG attacks).
>
> Responsible businesses (banks?) use DNSSEC to authenticate their IP
> addresses.
>
> You can check a DNS record for an address on the Linux CLI:-
> dig +dnssec +multi anz.com.au @8.8.8.8 | grep NOERROR && echo 'Server
> Authenticated' || echo 'Server Unauthenticated'
>
> or with a web browser:-
> https://dnssec-analyzer.verisignlabs.com/anz.com.au
>

Of course, DNS is not the only way to convert a symbolic host name into
an IP address. If you happen to trust the IP address you know more than
DNS (with or without DNSSEC), then you can add an entry to your
/etc/hosts file (on POSIX machines), which, if /etc/nsswitch.conf has
not been altered from the usual default, will take precedence over DNS.

One example where you might trust the IP more than DNS is if you own
it - my OpenVPN "mobile" clients connect to my VPS server using it's IP
address.

If you know that your "internet bank" (usually a euphanism..) does not
change it's IP address then you can add it to the hosts file on the VM/
container you have dedicated for "internet banking".

Also, it is relatively trivial to set up your own DNS server and "pin"
IP addresses that you know don't change. The Pi-hole project sets up a
DNS server (either on a RasPi, or a regular Debian system - mine is
running on a container) that lets you "black-hole" a whole lot of "bad"
sites (mainly advertising, in my case). Not sure how nicely it plays
with DNSSEC.

Also, for the WiFi SSID that my kids devices use, the DHCP server has
been set to a Pi-hole instance, which then back onto the "family-
friendly" OpenDNS service:
https://www.opendns.com/setupguide/#familyshield
Not sure how DNSSEC deals with that either...

Also, DNSSEC has it's own set of vulnerabilities to be managed. An
interesting paper is here (there are others):
http://www.chrismitchell.net/svidad.pdf

None of this helps against router attacks, as has been pointed out.

cheers,
Bob Edwards.





More information about the linux mailing list