One Article Review
| Source |  GoogleSec |
|---|---|
| Identifiant | 8477254 |
| Date de publication | 2024-03-28 14:29:57 (vue: 2024-04-06 22:07:27) |
| Titre | Approche de Google Public DNS \\ pour lutter contre les attaques d'empoisonnement au cache Google Public DNS\\'s approach to fight against cache poisoning attacks |
| Texte | Tianhao Chi and Puneet Sood, Google Public DNSThe Domain Name System (DNS) is a fundamental protocol used on the Internet to translate human-readable domain names (e.g., www.example.com) into numeric IP addresses (e.g., 192.0.2.1) so that devices and servers can find and communicate with each other. When a user enters a domain name in their browser, the DNS resolver (e.g. Google Public DNS) locates the authoritative DNS nameservers for the requested name, and queries one or more of them to obtain the IP address(es) to return to the browser.When DNS was launched in the early 1980s as a trusted, content-neutral infrastructure, security was not yet a pressing concern, however, as the Internet grew DNS became vulnerable to various attacks. In this post, we will look at DNS cache poisoning attacks and how Google Public DNS addresses the risks associated with them.DNS Cache Poisoning AttacksDNS lookups in most applications are forwarded to a caching resolver (which could be local or an open resolver like. Google Public DNS). The path from a client to the resolver is usually on a local network or can be protected using encrypted transports like DoH, DoT. The resolver queries authoritative DNS servers to obtain answers for user queries. This communication primarily occurs over UDP, an insecure connectionless protocol, in which messages can be easily spoofed including the source IP address. The content of DNS queries may be sufficiently predictable that even an off-path attacker can, with enough effort, forge responses that appear to be from the queried authoritative server. This response will be cached if it matches the necessary fields and arrives before the authentic response. This type of attack is called a cache poisoning attack, which can cause great harm once successful. According to RFC 5452, the probability of success is very high without protection. Forged DNS responses can lead to denial of service, or may even compromise application security. For an excellent introduction to cache poisoning attacks, please see “ |
| Envoyé | Oui |
| Condensat | in 0x20 192 1980s 2008 2009 2022 5452 7873 9539 able above according account addition address addresses adot against aim all alone already also ambiguous announce answers appear application applications approach are around arrives associated attack attacker attacks attacksdns authentic authoritative basic became because been before bit both browser bullet but cache cached caching called can case cause chi chosen client com combination communicate communication community comparable compatible compliance compliant compromise com” concern configuration conformant connectionless content cookies cookieswe cost could countermeasure countermeasures coverage covers cpu creates default denial deployed deployment described details devices difficult dns dnsimproving dnsthe doh domain dot draft dropped each early easily effective effort egress enabled enabling encrypted enhance enhancing enough enters entirely even exactly example excellent exception expected experience fail fallback feature fields fight find following forge forged forwarded from fundamental further get globally goal google great grew guide handle happy harm has have here high higher highly how however human identity” ids illustrated implement implementations implemented impractical improve including incorrect indicate infrastructure insecure internet introduction issues kaminsky labels latency launch launched lead less like list local locates look lookups maintain make manual many march match matches may meanwhile measurements measures mechanism mechanisms memory messages minority mitigations more most multi multiple must name namely names nameserver nameservers necessary network neutral non not now numeric oarc obstacles obtain occurs off once one only open operators opportunistic originally other outlined over overall page passive path performing please poisoning ports post potential predictable presentation presentations preserve pressing prevent primarily privacy probability problem procedures pronged proposed protect protected protection protocol provide public puneet queried queries query question randomization randomized randomizing rate rather readable real recommend recursive reducing reliable request requested resolution resolver response responses retried return rfc risk risks section secure security see selected sent seriously server servers service set show significantly silver since small solves some sood source spoofed spoofing started strongly substantially success successful sufficient sufficiently summarygoogle support supported system take takes tcp technical than the them therefore these though through tianhao tld tls tlsin traffic transaction translate transports trusted type udp unilateral use used user users using usually various very volume vulnerability” vulnerable when which will without work working world worldwide www yet zones “an “example “use |
| Tags | Technical |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.