Chapter 11. Security
“I hope you’ve got your hair well fastened on?” he continued, as they set off.
“Only in the usual way,” Alice said, smiling.
“That’s hardly enough,” he said, anxiously. “You see the wind is so very strong here. It’s as strong as soup.”
“Have you invented a plan for keeping the hair from being blown off?” Alice enquired.
“Not yet,” said the Knight. “But I’ve got a plan for keeping it from falling off.”
Why should you care about DNS security? Why go to the trouble of securing a service that mostly maps names to addresses? Let us tell you a story.
In July 1997, during two periods of several days, users around the Internet who typed www.internic.net into their web browsers thinking they were going to the InterNIC’s web site instead ended up at a web site belonging to the AlterNIC. (The AlterNIC runs an alternate set of root nameservers that delegate to additional top-level domains with names like med and porn.) How’d it happen? Eugene Kashpureff, then affiliated with the AlterNIC, had run a program to “poison” the caches of major nameservers around the world, making them believe that www.internic.net’s address was actually the address of the AlterNIC web server.
Kashpureff hadn’t made any attempt to disguise what he had done; the web site that users reached was plainly the AlterNIC’s, not the InterNIC’s. But imagine someone poisoning your nameserver’s cache to direct www.amazon.com or www.wellsfargo.com to his own web server, conveniently located well outside local law ...
Get DNS and BIND, 5th Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.