What's new
By:

DNS Choice?

coxhaus said:
If the DNS record is changed encryption is not going to help.

I sticking with QUAD9 for now.
Click to expand...
DNSSEC is not about encryption, it's about crypto signing of records.

Sent from my P027 using Tapatalk
 
RMerlin said:
DNSSEC is not about encryption, it's about crypto signing of records.

Sent from my P027 using Tapatalk
Click to expand...

OK. It is about the same thing to stop man in the middle attacks so only point a and point b have the keys. What is happening is the DNS records are being changed maybe only on 1 server so keying or encrypting is not going to help a false DNS record. Once your PC hits the bad guys site he can do a lot. The DNS records get changed back but during that time period you are wide open. They can also steal valid encryption certificates for an organization's domain names. Probably not what we worry about on this site. This is all bad.
 
coxhaus said:
They can also steal valid encryption certificates for an organization's domain names.
Click to expand...

I don't think you understand how DNSSEC works - I recommend reading up on it. Again, you are mixing up technologies like DoT/DoH, and DNSSEC. The signing keys are stored on root servers, not on your computer or your upstream server. The chances of these servers getting compromised are slim to none.
 
RMerlin said:
I don't think you understand how DNSSEC works - I recommend reading up on it. Again, you are mixing up technologies like DoT/DoH, and DNSSEC. The signing keys are stored on root servers, not on your computer or your upstream server. The chances of these servers getting compromised are slim to none.
Click to expand...

Thanks. I will read up on DNSEC. But if you read about Sea turtle I think they are changing root servers.

"Targets that fall into the secondary victim category include numerous DNS registrars, telecommunication companies, and internet service providers."

How many root servers are there around the world? I assume a lot. I assume they fix it by majority rules.
 
coxhaus said:
How many root servers are there around the world?
Click to expand...

13.

I don't remember however if the keys are on the actual root servers, or on the TLD root servers.
 
sfx2000 said:
Keys are part of the domain record - for "example.org", the keys are there...
Click to expand...

But there are higher levels signing keys in there, that's why the TLD also needs to be signed for DNSSEC to work at the domain level, to provide a complete chain of trust. And at the highest level you have the two official root anchors.
 
You must log in or register to reply here.

Similar threads

BooBox
Solved Can't unblock Reddit
Replies
17
Views
2K
BooBox
BooBox
Z
Asus RT-BE86u Set up with different DNS per SSID
Replies
2
Views
1K
Zaka7
Z
P
Threat protection / DNS filtering / Router security (on home network)
Replies
1
Views
2K
Tech9
Tech9
Z
Asus ROG Rapture BE98 vs 98 Pro?
Replies
2
Views
2K
jzchen
J
consorts
Solved ax88u-pro: need adaptive qos advice for 5 adults on a 300/300 isp
Replies
17
Views
2K
consorts
consorts
Similar threads
Thread starter Title Forum Replies Date
Twiglets News BASE64 Over DNS ... RFC 1035 appears to be ignored. [From SANS article] General Network Security 0
RMerlin [Youtube] Video from Dave Plummer on online privacy, mainly DNS General Network Security 15
B DNS Providers - Who to trust? General Network Security 36
A Solved [solved] dnscrypt/merlin - sometimes slow dns for cdn domains? General Network Security 0
P DNS config with VPN General Network Security 14

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,962 (members: 13, guests: 1,949)
Back
Top