How does DNS know who to trust?

2

When I register a domain, and update the DNS records, these changes propagate to other DNS servers around the world. But how do the servers that are accepting these changes know they can trust these changes? How can they make sure that it's not a criminal, redirecting traffic away from example.com to their malware website by changing the DNS records?

bigblind

Posted 2013-04-23T04:48:57.947

Reputation: 233

The simple answer is that it doesn't know who to trust. Which is the reason two possible replacements to the standard DNS system is being proposed. DNSsec is one of those possible solutions. To make a complex process simple both involve a "circle of trust" where all parties have to agree the change is actually valid. – Ramhound – 2013-04-23T11:06:52.420

Ramhound : DNSSEC is certainly not a "replacement" for DNS, it is an extension of it. – bortzmeyer – 2013-04-24T20:09:52.467

Answers

6

  1. DNS Doesn't propogate the way you probably think it does. The only "propgation" is within the servers authoritative for a domain (ie, the com. TLD).
  2. Only registrars can update TLD NS and Glue records. It's tracked which registrar currently registers a domain name.
  3. There's extremely little verification of record integrity, which is why cache poisoning is possible, along with a variety of other similar attacks. DNSsec seeks to solve this issue, but adoption has been slow.

Chris S

Posted 2013-04-23T04:48:57.947

Reputation: 5 907

Asked: 2013-04-23T04:48:57.947

Viewed: 97 times

Active: 2013-04-23T05:18:06.490