Hello, welcome to the Thursday, December 3, 2020 edition of the Sandsenet Stormsenders Stormcast.

My name is Johannes Ulrich, and the time I'm recording from Jacksonville, Florida.

To start out with today, we have a new paper looking at the prevalence of DNS spoofing.

Now, the paper was done by Lon Way and John

Heideman, and it's based on six years' worth of data. Now, one thing they found is that,

first of all, DNS spoofing is not very common. 1.7% of observations that they collected did indicate DNS spoofing,

but they also say it doubled over the six years in which they actually collected data.

Now, just to clarify, when they're talking about DNS spoofing, they're not necessarily talking

about sort of passively spoofing DNS responses, but for pretty much the most part, they're

talking about people playing machine in the middle, intercepting DNS requests, and then instead

of outright forwarding them to a legitimate

authoritative name server, these DNS resolvers will then alter the response.

You probably have seen things like this, for example, for captive portals, but also

sometimes ISPs use systems like this in order to, for example,

redirect users to internal search pages if they try to request a domain that does not exist.

So in this case, an annex domain response from a valid DNS server would be turned into a record that

points to that internal search page.

There are numerous motivations for doing things like this.

It could be as simple as trying to help out the user, but more likely there's some kind of financial gain here

in redirecting users to internal websites that of course then are monetized via advertisement

and user tracking.

The countermeasure that's being offered here is, of course, DNSSEC. However, you have to be a little bit careful here that you're not asking DNSSEC to do more than it really can do.

...