Jump to content

SAD DNS Poisoning - Can Eset Protect Against It?


Recommended Posts

Well, I am feeling a bit better in that Cloudfare states that they are no longer vulnerable:

Quote

As part of a coordinated disclosure effort earlier this year, the researchers contacted Cloudflare and other major DNS providers and we are happy to announce that 1.1.1.1 Public Resolver is no longer vulnerable to this attack.

https://blog.cloudflare.com/sad-dns-explained/

Great if your using FireFox w/DoH enabled and using default Clouldflare DNS servers. However, I know per this test that my ISP DNS servers are vulnerable which I would be using for non-browser based DNS lookups.

Also this is just not a Linux vulnerability but affects all Win Server OS versions: https://dirteam.com/sander/2020/12/10/dns-spoofing-vulnerability-sad-dns-important-cve-2020-25705-adv200013/

Edited by itman
Link to post
Share on other sites

Found a slide show on this attack here: https://www.saddns.net/slides.pdf

I would say until ISP and DNS providers mitigate this, it would be best to always use two-factored authorization on your financial web sites and/or manually verify prior to site logon that the site you arrived at is actually your bank's web site via certificate thumbprint validation. The later is something I have requested from Eset for some time in their Banking & Payment Protection feature.

Edited by itman
Link to post
Share on other sites

In light of this new DNS poisoning vulnerability, it might be informative for some to review the original Kaminsky DNS cache vulnerability. Gibson Research gets into great detail on this on their web site here: https://www.grc.com/dns/dns.htm . Unfortunately, it appears they haven't updated their test for this new DNS cache vulnerability.

Also on the Gibson Research web site is additional detail on how to retrieve your banking web site certificate thumbprint I mentioned previously: https://www.grc.com/fingerprints.htm . This is also a lead in to what I would like to see added to Eset Banking & Payment Protection.

That is it perform automatically this certificate chain validation using Eset web servers whenever a URL is entered. This BTW is the only foolproof method to prevent DNS spoofing. The problem currently is it appears Eset is attempting to expand B&PP use to normal browser use. This will obviously put an unacceptable load on Eset servers that would perform this independent chaining validation. As such, Eset would have to provided capability via a financial web site URL list for example, that would be used for this validation.

Edited by itman
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...