Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




BDFL - Memuneh
64667 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

# 142557 17-Mar-2014 10:43
Send private message

Yet another reason not to use Google DNS, as seen on NZNOG discussion list:

 

 

 



https://twitter.com/bgpmon/status/445266642616868864/photo/1 

Not good having your DNS hijacked... 







View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
488 posts

Ultimate Geek

Trusted

  # 1007132 17-Mar-2014 10:54
Send private message

Surely Google is safer than most, though?

Based on my "they have more to lose" rational...

3344 posts

Uber Geek

Trusted
Vocus

  # 1007150 17-Mar-2014 10:59
Send private message

Ouch.  The point being, your ISP's DNS servers can't so easily be BGP hijacked (since it's in their own network anyway)

 
 
 
 


488 posts

Ultimate Geek

Trusted

  # 1007162 17-Mar-2014 11:08
Send private message

So reading into that, the hijack only affects some ISP's address spaces?

3344 posts

Uber Geek

Trusted
Vocus

  # 1007170 17-Mar-2014 11:23
Send private message

gundar: So reading into that, the hijack only affects some ISP's address spaces?


On BGP Hijacking

488 posts

Ultimate Geek

Trusted

  # 1007176 17-Mar-2014 11:29
One person supports this post
Send private message

ubergeeknz:
gundar: So reading into that, the hijack only affects some ISP's address spaces?


On BGP Hijacking


Yes, I read that one, too and I have some years of experience in related fields. The OP implied Google is to blame, I am of the opinion the ISP or carrier in case is to blame and only those ISP's or the interconnected ISP's clients are going to have a bad experience.

Is this correct or is the fault that of Google?





BDFL - Memuneh
64667 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 1007182 17-Mar-2014 11:36
Send private message

I didn't imply it was Google's fault and it was not my intention. What I said is that there's no reason to use Google DNS - or any other external DNS. Even more in New Zealand where ISP's DNS will point to local resources which are faster to access.




3344 posts

Uber Geek

Trusted
Vocus

  # 1007184 17-Mar-2014 11:37
Send private message

Not the fault of Google.  It's the fault of insecure (and potentially misconfigured) protocols.

 
 
 
 


488 posts

Ultimate Geek

Trusted

  # 1007188 17-Mar-2014 11:44
One person supports this post
Send private message

freitasm: I didn't imply it was Google's fault and it was not my intention. What I said is that there's no reason to use Google DNS - or any other external DNS. Even more in New Zealand where ISP's DNS will point to local resources which are faster to access.


That would only be the case if my local DNS services have a known good cache of everything I want to access, surely?

Even a cached record could be a corrupted if it was read at the time of subversion?

I'm not picking here, just curious as I use OpenDNS and Google DNS in places because they are usually highly available and quick. I do have a lot of infrastructure experience, but have not stumbled across BGP hijacking before, so my questions are valid: How does it help if I use, for example, Slingshot DNS, which is patchy at times, rather than Google or OpenDNS?

3344 posts

Uber Geek

Trusted
Vocus

  # 1007190 17-Mar-2014 11:48
Send private message

gundar: Even a cached record could be a corrupted if it was read at the time of subversion? 


Only if the hijacked DNS servers were authoritative for a given domain.



BDFL - Memuneh
64667 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 1007191 17-Mar-2014 11:48
One person supports this post
Send private message

I am not talking about DNS caching but content caching. Using your ISP DNS will point to local servers such as Google servers inside the network, in country Akamai servers, etc. Using Google DNS and OpenDNS for example you get none of these benefits.




6615 posts

Uber Geek
Inactive user


  # 1007193 17-Mar-2014 11:54
Send private message

ubergeeknz:
gundar: Even a cached record could be a corrupted if it was read at the time of subversion? 


Only if the hijacked DNS servers were authoritative for a given domain.


I wonder when hijacked was it a troll who just pointed all queries to some really bad NSFW website?

3344 posts

Uber Geek

Trusted
Vocus

  # 1007195 17-Mar-2014 11:57
Send private message

TimA:
ubergeeknz:
gundar: Even a cached record could be a corrupted if it was read at the time of subversion? 


Only if the hijacked DNS servers were authoritative for a given domain.


I wonder when hijacked was it a troll who just pointed all queries to some really bad NSFW website?


That'd be cool!  It's also very unlikely.  Far more likely the intent was MITM on banking websites, etc.

6615 posts

Uber Geek
Inactive user


  # 1007196 17-Mar-2014 11:58
Send private message

ubergeeknz:
TimA:
ubergeeknz:
gundar: Even a cached record could be a corrupted if it was read at the time of subversion? 


Only if the hijacked DNS servers were authoritative for a given domain.


I wonder when hijacked was it a troll who just pointed all queries to some really bad NSFW website?


That'd be cool!  It's also very unlikely.  Far more likely the intent was MITM on banking websites, etc.


Oo i see, Man in ye ol middle attacks. 

3889 posts

Uber Geek


  # 1007253 17-Mar-2014 13:20
Send private message

The issues around this are huge aren't they?

Will DNSSEC break changing the dns system for traffic engineering?

Should we be using BGP and multi-homing to control where and how traffic should be directed?

What about privacy? Who's DNS server do you really want to put your query data in to and who is keeping a log and track of that information? Who should be? Who shouldn't be? Who are you happy with doing that? Who do you want to trust? Who should you trust? Is the whole system so captured now that you would be best just to not use it at all?

Personally I'm pushing 8.8.8.8 more often because it doesn't tend to break. I've had instances where my routers dns relay client seems to not work properly.

I've been messing with OpenDNS because some people want a 'clean feed'... but I can see that causes problems because 'some people' object to any kind of content 'control'.

Should I just run my own recessive dns server? But then how do I get the 'dns routing' information from my ISP?

Do I want DNS information of my users held in my own systems? Even in the course of legitimate business do I want to even have that data in my system that I might view? Do I want that responsibility? Does pushing the requests to Google and OpenDNS then just push it out of my domain? Then who do I upset by doing that?

Is this about NOT putting all our eggs in one basket? One has to wonder why these attacks are happening anyway. Is it a bunch of white knight hackers just trying to give us all the hint that putting all our eggs in the Google basket is just not good form? Is there really malice here or a bunch of very level headed reasonable people asking the questions I've asked and just not wanting to be given all the ownership either?

TL;DR - Grab a rod, go fishing.

D









Promote New Zealand - Get yourself a .kiwi.nz domain name!!!

Check out mine - i.am.a.can.do.kiwi.nz - don@i.am.a.can.do.kiwi.nz




BDFL - Memuneh
64667 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 1007269 17-Mar-2014 13:31
2 people support this post
Send private message

DonGould: Personally I'm pushing 8.8.8.8 more often because it doesn't tend to break. I've had instances where my routers dns relay client seems to not work properly.


People must be using really crappy ISPs to complain so much about "DNS breaking". Seriously, can't remember the last time (if ever) I have a "DNS is broken" problem.






 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Switch your broadband provider now - compare prices


Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Microsoft New Zealand Partner Awards results
Posted 18-Oct-2019 10:18


Logitech introduces new Made for Google keyboard and mouse devices
Posted 16-Oct-2019 13:36


MATTR launches to accelerate decentralised identity
Posted 16-Oct-2019 10:28


Vodafone X-Squad powers up for customers
Posted 16-Oct-2019 08:15


D Link ANZ launches EXO Smart Mesh Wi Fi Routers with McAfee protection
Posted 15-Oct-2019 11:31


Major Japanese retailer partners with smart New Zealand technology IMAGR
Posted 14-Oct-2019 10:29


Ola pioneers one-time passcode feature to fight rideshare fraud
Posted 14-Oct-2019 10:24


Spark Sport new home of NZC matches from 2020
Posted 10-Oct-2019 09:59


Meet Nola, Noel Leeming's new digital employee
Posted 4-Oct-2019 08:07


Registrations for Sprout Accelerator open for 2020 season
Posted 4-Oct-2019 08:02


Teletrac Navman welcomes AI tech leader Jens Meggers as new President
Posted 4-Oct-2019 07:41


Vodafone makes voice of 4G (VoLTE) official
Posted 4-Oct-2019 07:36


2degrees Reaches Milestone of 100,000 Broadband Customers
Posted 1-Oct-2019 09:17


Nokia 1 Plus available in New Zealand from 2nd October
Posted 30-Sep-2019 17:46


Ola integrates Apple Pay as payment method in New Zealand
Posted 25-Sep-2019 09:51



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.