Forgot your password?
The Internet

Routing and DNS Security Ignored By ISPs 101

Posted by Unknown Lamer
from the netblock-hijackers dept.
Bismillah (993337) writes "The re-routing of Google's public DNS servers last weekend was yet another example of how easy it is to 'steal the Internet' by abusing today's trust-based networks. Problem is, ISPs don't seem to care about that, or securing DNS which is another attack vector that doesn't require compromising end users' systems. Why isn't more done to secure routing and DNS then?" The route announcement was likely unintentional. The chief scientist at APNIC noted that implementing RPKI would solve the problem, but far too few ISPs bother with it.
This discussion has been archived. No new comments can be posted.

Routing and DNS Security Ignored By ISPs

Comments Filter:
  • by tlambert (566799) on Wednesday March 19, 2014 @02:42PM (#46526259)

    Why the hell would they want Google DNS to work?

    They intermediate DNS all the time,in order to do proxy caching, and to prevent you going to high bandwidth sites without a lot of difficultly, or to land you on a page when you hit a non-existant domain because of a typo, and they try to sell it to you.

    One wireless carrier, on their WiFi hotspot-only options, used to move you off their 4G network and onto their 3G by having intentional "DNS outages" that pointing to Google's DNS worked around. 3G had a data cap for which they got paid, 4G was no data cap, so the benefit to them for you using the DHCP assigned DNS was enormous: large amounts of data charges.

    Even if they aren't screwing with the results for their own reasons, you hitting Google for all your DNS lookups means that they can't cache DNS responses, which means that they have to support more DNS traffic out and responses in on their network than they otherwise would need to.

    None of these are beneficial to their bottom line.

  • by RR (64484) on Wednesday March 19, 2014 @03:45PM (#46526933)

    I see this attitude all the time with managers. It's like a mantra:

    If it's not broke, don't fix it.

    It's blocking IPv6, it's blocking DNSSEC, it's blocking RPKI, it's blocking Windows XP retirements. There are a lot of improvements that are stymied because change is considered more scary than just living with the problem.

    But it is broke. Computers are hugely complex and buggy. We need the upgrade treadmill just to stay ahead of threats to our computing. Computers are incredibly malleable, and collectively we need major changes. I would be seriously depressed if our current state became the pinnacle of computing.

Badges? We don't need no stinking badges.