[clug] April 2018 CLUG Meeting

Keith Goggin lroyjh at gmail.com
Sun Apr 29 01:47:17 UTC 2018 


On 28/04/18 18:57, Robert Edwards via linux wrote:
> On 27/04/2018 5:46 pm, Scott Ferguson via linux wrote:
>>
>>
>> On 27/04/18 15:45, Keith Goggin via linux wrote:
>>> Thanks to Geoff Huson for his excellent 'Web Security Primer' last 
>>> night.
>>>
>>> I know 'an' IP address of my bank and if every thing I needed was at
>>> that address I'm guessing I'd be safe.
>>
>> As has been pointed out already - IP addresses can change (though banks
>> rarely do so), however, more importantly, IP addresses can be spoofed
>> (BPG attacks).
>>
>> Responsible businesses (banks?) use DNSSEC to authenticate their IP
>> addresses.
>>
>> You can check a DNS record for an address on the Linux CLI:-
>> dig +dnssec +multi anz.com.au @8.8.8.8 | grep NOERROR && echo 'Server
>> Authenticated' || echo 'Server Unauthenticated'
>>
>> or with a web browser:-
>> https://dnssec-analyzer.verisignlabs.com/anz.com.au
>>
>
> Of course, DNS is not the only way to convert a symbolic host name into
> an IP address. If you happen to trust the IP address you know more than
> DNS (with or without DNSSEC), then you can add an entry to your
> /etc/hosts file (on POSIX machines), which, if /etc/nsswitch.conf has
> not been altered from the usual default, will take precedence over DNS.
>
> One example where you might trust the IP more than DNS is if you own
> it - my OpenVPN "mobile" clients connect to my VPS server using it's IP
> address.
>
> If you know that your "internet bank" (usually a euphanism..) does not
> change it's IP address then you can add it to the hosts file on the VM/
> container you have dedicated for "internet banking".
>
> Also, it is relatively trivial to set up your own DNS server and "pin"
> IP addresses that you know don't change. The Pi-hole project sets up a
> DNS server (either on a RasPi, or a regular Debian system - mine is
> running on a container) that lets you "black-hole" a whole lot of "bad"
> sites (mainly advertising, in my case). Not sure how nicely it plays
> with DNSSEC.
>
> Also, for the WiFi SSID that my kids devices use, the DHCP server has
> been set to a Pi-hole instance, which then back onto the "family-
> friendly" OpenDNS service:
> https://www.opendns.com/setupguide/#familyshield
> Not sure how DNSSEC deals with that either...
>
> Also, DNSSEC has it's own set of vulnerabilities to be managed. An
> interesting paper is here (there are others):
> http://www.chrismitchell.net/svidad.pdf
>
> None of this helps against router attacks, as has been pointed out.
>
> cheers,
> Bob Edwards.
>
>
>
Thanks to all for their assistance.

With apologies to Reinhold Niebuhr and AA, I seek the knowledge to 
improve my computer security, to accept that which is beyond end users 
like me and the wisdom to know the difference :-)

More information about the linux mailing list