Reputation: 171
Security of DNS answers
I have been searching for information regarding this topic but I found no direct answer. Is it possible for the following to happen:
PC 1: -opens UDP socket in port X -sends a request to a DNS server to resolve a name
Meanwhile
a hacker captures the packet in the internet, and he himself answers the request with a wrong answer
Can this happen? If not, what prevents this? DNS uses SSL or another security mechanism? Do our operative systems use secure communications with DNS servers?
Thanks in advance
Upvotes: 2
Views: 162
Answers (2)
Reputation: 3162
You could also use an HTTP web service that utilizes SSL to make sure that the answer hasn't been tampered with: curl https://api.openresolve.com/a/stackoverflow.com. Docs at https://www.openresolve.com
Upvotes: 0
Reputation: 22261
The scenario you present is perfectly possible. It's one of the reasons why DNSSEC was invented.
DNSSEC allows the resolver client to check a chain of cryptographic signatures from any DNS record all the way up the tree to a trust anchor (which is usually the DNS root).
Upvotes: 3
Related Questions
- Dns explanation
- DNS response answer & authoritative section
- How is DNS reliable when it uses UDP protocol at transport layer?
- What is DNSSEC in a nutshell?
- What is Unicast DNS and how does it differ from other kinds of DNS?
- DNS Server IP Address
- DNS security and port randomization
- UDP connections and security
- A bare-bones DNS server
- DNS Response Packets