donguitar at gmail.com
Fri Jun 6 01:35:11 CDT 2008
Brad Knowles wrote:
> While the rest of this discussion seems to have diverged somewhat, I
> wanted to get back to the original topic.
> IMO, OpenDNS is dangerous. Any Caching Open Recursive Nameserver (CORN)
> is dangerous, and not just for the reasons laid out at
> CORNs are also dangerous because the party who controls your selected
> caching nameserver can choose to go do the VeriSign SiteFinder thing,
> just like TWC is now doing, and then you're screwed.
> CORNs are also dangerous because there are a number of vulnerabilities
> in most nameservers, and CORNs frequently allow attackers to easily
> insert whatever data they want into your nameserver, and your nameserver
> will actually believe that it's real -- like re-directing your web
> traffic over to a machine that the Russian Business League operates, so
> that they can capture all your traffic to BankOfAmerica.com.
> This is called "Spear Phishing", and it is amazingly successful. The
> bigger the community of users potentially affected, the more attractive
> the target.
> There are other security vulnerabilities, but this should be enough.
> You need to run your own caching recursive nameserver, and make sure
> it's secure against external parties being able to use it. They may
> still try to attack it, and their attacks may or may not be successful,
> but at least you've got more control over your own fate and you can help
> ensure that your systems are as secure as they can reasonably be.
Brad, you've said this before but I haven't enough technical acumen to
follow your argument.
I submit that Verizon is trying to feed me sponsored links on URL errors
but, as annoying as it is, I don't have to click on any of them. I can
(and do) merely hit my back button and try again. Am I correct in
assuming that you feel this minor annoyance is preferable to trusting
More information about the SATLUG