Forgot your password?
typodupeerror

Comment: Re:DNSSEC & Root 13 DNS servers... apk (Score 1) 313

I'm at a loss here. You think when you do a reverse lookup you're only hitting the DNSSEC secured root servers? You really, genuinely don't understand how DNS works.

Well, it's been weird. I'm out. I hope your hosts file providers are never compromised, and your reverse lookups always return valid hostnames. Good luck. You'll need it.

Comment: Re:I also know this, per this article, lol... apk (Score 1) 313

None of that shows that you know anything about DNS. You're ranting into the abyss.

What have I done? Like you, noting of note. If we're waving our dicks about, though, I have a BSc in Computing Science, an RHCSA and an SCSA. I administer Unix, DNS and LDAP for a FTSE100 company.

And yet, here I am on Slashdot arguing with APK for some reason.

Comment: Re:Did you see the topic of this article? (Score 1) 313

"ACTUAL STORAGE CENTRAL POINT FOR THEM"
Again, there is _no_ central storage for in-addr.arpa. The reverse records are delegated just like the A records are. Do you honestly think the root servers hold every single PTR record on the public internet?

You know, for someone who makes a lot of noise about hosts files and DNS, I'd expect you to at least understand how DNS works.

Comment: Re:For Pete's sake enough (you're non-sequitur) (Score 1) 313

"...you even ADMIT I do get better security via my methods"
Umm, I didn't. I said quite specifically that your security is likely worse than just using DNS. But hey. If that's how you choose to configure your hosts, then that's great. Good luck to you.

I'll be out here in the badlands running with an empty hosts file, javascript switched on, frames enabled, cookies allowed, and Flash installed. Living the dream, baby.

Peace out, much love, etc.

Comment: Re:WRONG again on THIS too... apk (Score 1) 313

1) Symantec is the only one of those sources I would even remotely trust, and I'd still be checking every single entry, even with them.
2) You _are_ relying on "ON A WORLD FULL OF UNPATCHED DNS SERVERS", unless you only ever visit the _exact_ hostnames _specifically_ entered in your hosts file, and _only_ if those site _only_ have links and included references (javascript sources, etc) which are _exactly_ listed in your hosts file.

Do me a favour - run wireshark on your PC, filter for port 53. See how often your host with its massive hosts file still relies on DNS. In terms of the problem the Fine Article talks about, you're no more protected than anyone else.

Comment: Re:It's more secure than DNS queries... apk (Score 1) 313

I'm not sure you understand how DNS works - the reverse entries are delegated to the IP space owners, so it's just as likely that the in-addr.arpa records are being poisoned, and so your reverse lookup check doesn't buy you much. It's better than not checking, but a well organised poisoning attack will be modifying PTR records to cover SSL full-circle checks anyway.
In fact, you're still trusting that DNS is sound to check your hosts files are coming from the right places, and then adding further vulnerability by trusting that A Bunch Of Suppliers aren't feeding you bogus entries.
Even if your hosts file _is_ OK, you still can't protect yourself from resolving xyz.domain.com entries, because hosts files can't use *.domain.com so you can't stop your PC from resolving rapidly changing subdomains.
So, in terms of poisoned host records you're actually more at-risk by using a huge custom hosts file, not less. Statically defining host records to 127.0.0.1 will protect you from reaching a known attack site, but fast-flux subdomains nullify that protection in a lot of cases, and for similar reasons it offers only limited protection from the Kaminsky attack.

Comment: Re:My data sources do... apk (Score 1) 313

Hmm. That's a lot of sources, any one of which could be compromised at any time.

P.S. in-addr.arpa PTR records are delegated from the root nameservers just like A records - doing reverse lookups doesn't buy you much in terms of security, if you're worried about hijacked DNS.

"For the man who has everything... Penicillin." -- F. Borquin

Working...