11

After reading the question about a manipulated google analytics script I wonder how you would protect against this kind of attack.

What comes to mind is setting DNS IP fixed in network configuration or using a tunnel, but in both cases you would not detect the attack.

Is there a way to protect yourself and also be able to detect the attack?

Community
  • 1
PiTheNumber
  • 5,394
  • 4
  • 19
  • 36
  • 1
    I don't think using a fixed IP address for DNS would help. Since the WiFi hotspot is a man in the middle, it could simply treat all DNS requests itself and again redirect you somewhere else. – Thomas Weller Jul 16 '14 at 12:35
  • Not sure if your question is ok: you can either prevent the attack but not detect it (because you prevented it) or detect it but allow it. Doing both would probably mean that you receive the information twice (secure and insecure) and compare the results against each other. Wouldn't you care about the double traffic? – Thomas Weller Jul 16 '14 at 12:41
  • Well, if you must, you could use a Virtual Machine that's NOT connecting though a VPN as a honeypot of sorts. I don't know why you would, but you could. – KnightOfNi Jul 16 '14 at 21:24
  • 3
    You need to know that you're not talking to the server you expect for the domain. This can be done by comparing certs for https with what you saw earlier. That would detect the threat. And that's what the browser does in general. – naugtur Jul 16 '14 at 22:01

2 Answers2

9

I'm afraid we won't have a proper solution until we get everyone to use DNSSEC.

However, I predict that unless someone discovers a really critical flaw in DNS protocol forcing everyone to implement it, it will take many many years ☹ (just look at IPv6).

As a partial solution, you could have the DNS resolver set to a trusted DNS resolver which also signs all unsigned responses with its own key. That won't detect that the dns server provided on the DHCP response is malicious/poisoned, but -adding the appropiate code on the stub resolver- if all DNS queries where answered by the evil DNS server, you could notice that.

Benoit Esnard
  • 13,942
  • 7
  • 65
  • 65
Ángel
  • 17,578
  • 3
  • 25
  • 60
2

I think the only wayx to detect the attack would be to run a custom script in the backgorund of your session, which would send all your DNS requests to a trusted secured DNS-Server (using signing or HTTPS) and also to your local DNS. Then it could compare the results and give you an alertbox if the results don't match e.g. if the provided IP-Adresses are not registered under the same domain...

Falco
  • 1,493
  • 10
  • 14
  • Is there a plugin for this? – Pacerier Mar 28 '15 at 20:21
  • That is what I had in mind but there are some domains (like google.com) which has [hundred of thousands](http://snurps.blogspot.jp/2013/10/how-many-ip-addresses-does-google-have.html) associated IP addresses. What about other "big" sites? It will be hard to keep up with their changes to prevent mistaken alerts. How can that be solved? I'm also looking for an answer. – lepe Jul 21 '15 at 00:52
  • @lepe you could contact a whois service via https, they will list every ip which Google owns as registered with Google! – Falco Jul 21 '15 at 06:37
  • Thanks Falco. That could help to verify google and other big sites, but IMHO I think it would be hard to use it as a general solution. – lepe Jul 21 '15 at 07:23