Follow Slashdot stories on Twitter


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Comment Re:DNSSEC & Root 13 DNS servers... apk (Score 1) 313

I'm at a loss here. You think when you do a reverse lookup you're only hitting the DNSSEC secured root servers? You really, genuinely don't understand how DNS works.

Well, it's been weird. I'm out. I hope your hosts file providers are never compromised, and your reverse lookups always return valid hostnames. Good luck. You'll need it.

Comment Re:I also know this, per this article, lol... apk (Score 1) 313

None of that shows that you know anything about DNS. You're ranting into the abyss.

What have I done? Like you, noting of note. If we're waving our dicks about, though, I have a BSc in Computing Science, an RHCSA and an SCSA. I administer Unix, DNS and LDAP for a FTSE100 company.

And yet, here I am on Slashdot arguing with APK for some reason.

Comment Re:Did you see the topic of this article? (Score 1) 313

Again, there is _no_ central storage for The reverse records are delegated just like the A records are. Do you honestly think the root servers hold every single PTR record on the public internet?

You know, for someone who makes a lot of noise about hosts files and DNS, I'd expect you to at least understand how DNS works.

Comment Re:For Pete's sake enough (you're non-sequitur) (Score 1) 313

" even ADMIT I do get better security via my methods"
Umm, I didn't. I said quite specifically that your security is likely worse than just using DNS. But hey. If that's how you choose to configure your hosts, then that's great. Good luck to you.

I'll be out here in the badlands running with an empty hosts file, javascript switched on, frames enabled, cookies allowed, and Flash installed. Living the dream, baby.

Peace out, much love, etc.

Comment Re:WRONG again on THIS too... apk (Score 1) 313

1) Symantec is the only one of those sources I would even remotely trust, and I'd still be checking every single entry, even with them.
2) You _are_ relying on "ON A WORLD FULL OF UNPATCHED DNS SERVERS", unless you only ever visit the _exact_ hostnames _specifically_ entered in your hosts file, and _only_ if those site _only_ have links and included references (javascript sources, etc) which are _exactly_ listed in your hosts file.

Do me a favour - run wireshark on your PC, filter for port 53. See how often your host with its massive hosts file still relies on DNS. In terms of the problem the Fine Article talks about, you're no more protected than anyone else.

Comment Re:It's more secure than DNS queries... apk (Score 1) 313

I'm not sure you understand how DNS works - the reverse entries are delegated to the IP space owners, so it's just as likely that the records are being poisoned, and so your reverse lookup check doesn't buy you much. It's better than not checking, but a well organised poisoning attack will be modifying PTR records to cover SSL full-circle checks anyway.
In fact, you're still trusting that DNS is sound to check your hosts files are coming from the right places, and then adding further vulnerability by trusting that A Bunch Of Suppliers aren't feeding you bogus entries.
Even if your hosts file _is_ OK, you still can't protect yourself from resolving entries, because hosts files can't use * so you can't stop your PC from resolving rapidly changing subdomains.
So, in terms of poisoned host records you're actually more at-risk by using a huge custom hosts file, not less. Statically defining host records to will protect you from reaching a known attack site, but fast-flux subdomains nullify that protection in a lot of cases, and for similar reasons it offers only limited protection from the Kaminsky attack.

Slashdot Top Deals

You may call me by my name, Wirth, or by my value, Worth. - Nicklaus Wirth