top | item 40883096

(no title)

cangeroo | 1 year ago

Could DNS responses have been hijacked as well?

Edit: Could this have been used to hijack/create TLS certificates?

discuss

georgyo|1 year ago

Yes, unless you have some sort of protection.

Protection could be validating DNSSEC (most likely not)

Or using DoH (DNS over HTTPS) or DoT (DNS over TLS)

terom|1 year ago

I don't think DNSSEC would help in the common case of non-validating stub resolvers querying a public resolver. My understanding is that the DNS query response from a DNSSEC-validating public recursive resolver doesn't contain the information required for the stub client to validate it, only a single AD bit.

kevindamm|1 year ago

Depends, do you have DNSSEC enabled?

tptacek|1 year ago

DNSSEC doesn't help here. It doesn't run between stub resolvers and recursers like 1.1.1.1.

mort96|1 year ago

Probably not, I can't remember the last time I looked at 'resolvectl' output and saw anything other than "DNSSEC: no" on any system so I assume it mostly just doesn't exist in practice

nightpool|1 year ago

More practically: do you have DoH enabled? If you're using Chrome, the answer is probably yes.