Michel Siffre's been there, done that:
Slashdot videos: Now with more Slashdot!
We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).
Thanks Larry. How's the yacht?
I'm at a loss here. You think when you do a reverse lookup you're only hitting the DNSSEC secured root servers? You really, genuinely don't understand how DNS works.
Well, it's been weird. I'm out. I hope your hosts file providers are never compromised, and your reverse lookups always return valid hostnames. Good luck. You'll need it.
You read the wikipedia page! Good for you!
Yes, it is it's own TLD. It's also delegated out from the root nameservers, so there's still no central storage point and you're still vulnerable if you're relying on reverse lookups.
None of that shows that you know anything about DNS. You're ranting into the abyss.
What have I done? Like you, noting of note. If we're waving our dicks about, though, I have a BSc in Computing Science, an RHCSA and an SCSA. I administer Unix, DNS and LDAP for a FTSE100 company.
And yet, here I am on Slashdot arguing with APK for some reason.
"ACTUAL STORAGE CENTRAL POINT FOR THEM"
Again, there is _no_ central storage for in-addr.arpa. The reverse records are delegated just like the A records are. Do you honestly think the root servers hold every single PTR record on the public internet?
You know, for someone who makes a lot of noise about hosts files and DNS, I'd expect you to at least understand how DNS works.
"...you even ADMIT I do get better security via my methods"
Umm, I didn't. I said quite specifically that your security is likely worse than just using DNS. But hey. If that's how you choose to configure your hosts, then that's great. Good luck to you.
Peace out, much love, etc.
1) Symantec is the only one of those sources I would even remotely trust, and I'd still be checking every single entry, even with them.
Do me a favour - run wireshark on your PC, filter for port 53. See how often your host with its massive hosts file still relies on DNS. In terms of the problem the Fine Article talks about, you're no more protected than anyone else.
I'm not sure you understand how DNS works - the reverse entries are delegated to the IP space owners, so it's just as likely that the in-addr.arpa records are being poisoned, and so your reverse lookup check doesn't buy you much. It's better than not checking, but a well organised poisoning attack will be modifying PTR records to cover SSL full-circle checks anyway.
In fact, you're still trusting that DNS is sound to check your hosts files are coming from the right places, and then adding further vulnerability by trusting that A Bunch Of Suppliers aren't feeding you bogus entries.
Even if your hosts file _is_ OK, you still can't protect yourself from resolving xyz.domain.com entries, because hosts files can't use *.domain.com so you can't stop your PC from resolving rapidly changing subdomains.
So, in terms of poisoned host records you're actually more at-risk by using a huge custom hosts file, not less. Statically defining host records to 127.0.0.1 will protect you from reaching a known attack site, but fast-flux subdomains nullify that protection in a lot of cases, and for similar reasons it offers only limited protection from the Kaminsky attack.
Hmm. That's a lot of sources, any one of which could be compromised at any time.
P.S. in-addr.arpa PTR records are delegated from the root nameservers just like A records - doing reverse lookups doesn't buy you much in terms of security, if you're worried about hijacked DNS.
APK - what's to stop someone poisoning one of the source hosts files you use to generate yours? Like, for example, adding an entry for google.com which points to a drive-by infection site?
Swiss army knives are legal. Locking blades (e.g. leatherman) and blades over 3 inches will get you jailed though.
No. No it is not.
Don't pay your Java licensing fees, you cock-smoking teabaggers!