5

Theoretically, DNS cache poisoning shouldn't matter,because everything important is protected by SSL and IPsec.

  • So why DNSSec was developed?
  • Aren't the first two protocols sufficient?
SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
Black
  • 81
  • 2

2 Answers2

2

SSL and TLS provide transport security, but after DNS resolving. So if the DNS cache has been poisoned the connection will go to the wrong server.

But after the connection has been made and the TTL of the DNS is ie. a day and then the dns poisoning takes place this has no effect anymore, because the client will do no dns resolving (because he already knows where to connect to...).

robbie
  • 21
  • 1
  • 2
    SSL and TLS use certificates to verify the identity of the other party. So although they do not protect against cache poisoning itself, the certificates help to protect against the results. – S.L. Barth Jan 25 '15 at 16:02
1

The two technologies are designed for different applications.

IPsec isn't traditionally used across the Internet, but rather on local networks. It also requires networking infrastructure that supports IPsec, which isn't common in SOHO routers and other non-enterprise equipment.

DNSSEC works across the Internet, and is designed to provide a form of PKI for DNS. It doesn't provide transport security, but it does help prevent DNS hijacking.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • SSL (or TLS), providing transport security, does it already prevent DNS hijacking? This is my personal doubt. – Black Jan 25 '15 at 11:21
  • @Polynomial, Re "IPsec isn't traditionally used across the Internet", but it **can** be, isn't it? So why did we choose to deploy DNSSEC instead of simply deploying IPSEC? – Pacerier Nov 04 '17 at 05:24
  • @Pacerier IPsec isn't suitable for mass implementation across the internet. It would massively complicate load balancing, routing, and many other areas of network administration. DNSSEC has [significant problems](https://sockpuppet.org/blog/2015/01/15/against-dnssec/) and is far from being chosen for mass deployment. In fact, many major internet organisations are dropping it because it is so flawed. A better approach is DANE, which involves restructuring PKI entirely, but that isn't fantastic either. – Polynomial Nov 06 '17 at 14:49
  • @Black TLS does not prevent you from hijacking DNS to point the IP somewhere else, but you still need to forge the certificate in order to man-in-the-middle the comms anyway, so DNSSEC or IPsec wouldn't offer any additional protection over TLS in that regard. – Polynomial Nov 06 '17 at 14:52