[clug] April 2018 CLUG Meeting
rodney peters
rodneyp at iinet.net.au
Sun Apr 29 11:11:39 UTC 2018
On 29/04/18 11:47, Keith Goggin via linux wrote:
>
>
> On 28/04/18 18:57, Robert Edwards via linux wrote:
>> On 27/04/2018 5:46 pm, Scott Ferguson via linux wrote:
>>>
>>>
>>> On 27/04/18 15:45, Keith Goggin via linux wrote:
>>>> Thanks to Geoff Huson for his excellent 'Web Security Primer' last
>>>> night.
>>>>
>>>> I know 'an' IP address of my bank and if every thing I needed was at
>>>> that address I'm guessing I'd be safe.
>>>
>>> As has been pointed out already - IP addresses can change (though banks
>>> rarely do so), however, more importantly, IP addresses can be spoofed
>>> (BPG attacks).
>>>
>>> Responsible businesses (banks?) use DNSSEC to authenticate their IP
>>> addresses.
>>>
>>> You can check a DNS record for an address on the Linux CLI:-
>>> dig +dnssec +multi anz.com.au @8.8.8.8 | grep NOERROR && echo 'Server
>>> Authenticated' || echo 'Server Unauthenticated'
>>>
>>> or with a web browser:-
>>> https://dnssec-analyzer.verisignlabs.com/anz.com.au
>>>
>>
>> Of course, DNS is not the only way to convert a symbolic host name into
>> an IP address. If you happen to trust the IP address you know more than
>> DNS (with or without DNSSEC), then you can add an entry to your
>> /etc/hosts file (on POSIX machines), which, if /etc/nsswitch.conf has
>> not been altered from the usual default, will take precedence over DNS.
>>
>> One example where you might trust the IP more than DNS is if you own
>> it - my OpenVPN "mobile" clients connect to my VPS server using it's IP
>> address.
>>
>> If you know that your "internet bank" (usually a euphanism..) does not
>> change it's IP address then you can add it to the hosts file on the VM/
>> container you have dedicated for "internet banking".
>>
>> Also, it is relatively trivial to set up your own DNS server and "pin"
>> IP addresses that you know don't change. The Pi-hole project sets up a
>> DNS server (either on a RasPi, or a regular Debian system - mine is
>> running on a container) that lets you "black-hole" a whole lot of "bad"
>> sites (mainly advertising, in my case). Not sure how nicely it plays
>> with DNSSEC.
>>
>> Also, for the WiFi SSID that my kids devices use, the DHCP server has
>> been set to a Pi-hole instance, which then back onto the "family-
>> friendly" OpenDNS service:
>> https://www.opendns.com/setupguide/#familyshield
>> Not sure how DNSSEC deals with that either...
>>
>> Also, DNSSEC has it's own set of vulnerabilities to be managed. An
>> interesting paper is here (there are others):
>> http://www.chrismitchell.net/svidad.pdf
>>
>> None of this helps against router attacks, as has been pointed out.
>>
>> cheers,
>> Bob Edwards.
>>
>>
>>
> Thanks to all for their assistance.
>
> With apologies to Reinhold Niebuhr and AA, I seek the knowledge to
> improve my computer security, to accept that which is beyond end users
> like me and the wisdom to know the difference :-)
>
>
Keith,
It might not be too difficult to get some useful improvement.
As a very quick starting point, I used the test here:
http://dnssec.vs.uni-due.de/
Not surprisingly, the verdict was negative. Following the same guide:
https://wiki.ipfire.org/dns/start
I changed the DNS in my router to a couple from the list that are rated
as "validating" then re-ran the test - with "thumbs-up" result and no
noticeable slowing of browsing.
Cheers,
Rod
More information about the linux
mailing list