yitworths

Level 10
Verified
Today, I've just tested some public dns for their susceptibility to Kaminsky-style spoofing & got some interesting results.Now,I would like to share those results to other members of MT & would like to get some analysis,comments or feedbacks. & if possible please tell what dns server you use & why?

The list of public dns servers which undergone test namely Google,Quad9,DNS.WATCH,Comodo Secure DNS,OpenDNS Home,Norton ConnectSafe,OpenNIC,FreeDNS,Alternate DNS,Yandex.DNS,Adguard dns beta,UncensoredDNS,Cloudfare.

Adguard DNS beta Alternate DNS Cloudfare Comodo Secure DNS DNS.WATCH FreeDNS Google Public DNS Norton ConnectSafe OpenDNS Home OpenNIC

Quad9 DNS UncensoredDNS Yandex.DNS

soffice.bin_2018-06-06_06-59-24.png
 
Last edited:

NulFunction

Level 2
Isn't the name of the cloudflare DNS actually "1.1.1.1" instead? They are only loosely connected, as you can read on their website. (1.1.1.1 uses their servers in a symbiotic relationship)
 

TairikuOkami

Level 23
Verified
Content Creator
please tell what dns server you use & why?
I use cleanbrowsing via port 8443 to block porn (some malware is hosted there), its second version can also block proxy.
I also use YandexDNS via port 15353 as a backup. Both support DNSSEC and both are sending encrypted DNS requests.
 

Attachments

yitworths

Level 10
Verified
what about DNS over https? can you pls repeat the test with simple DNS crypt?
Doesn't matter. even if I do use dns-crypt, results don't change. As far as I understand, dns-crypt mitigates MITM attack. & if I'm connecting to d server directly which will cause cache-posioning attack, dns-crypt may not make any difference whatsoever.
 
Last edited:
  • Like
Reactions: Sunshine-boy

yitworths

Level 10
Verified
Does disabling DNS cache mitigate this whole?
that will slow down your internet. Your net will be slower than my dead grandma.

In general, if you use dns-crypt you will b safe. But if you somehow connect to the server which actually causing d attack then your Internet traffic will be diverted to the fake/malicious servers unless your dns uses certain techniques. One of which is randomness.

Somewhere I read,great firewall of china was also fallen victim of dns cache-poisoning. Now whether that was an attack or not, I can't recall at this moment. DNS was never repaired, they just thwarted the susceptibility to dns cache-poisoning attack.
btw,which dns do you use?
 
  • Like
Reactions: Sunshine-boy

Sunshine-boy

Level 27
Verified
I'm using simple DNS crypt vultr.com server.( i already disabled DNS cache) so is it Bulletproof or no?:D
what about the browser itself? shouldn't browser block the fake website? shouldn't https everywhere extension block the fake website and alert me?
 
Last edited:

TairikuOkami

Level 23
Verified
Content Creator
that will slow down your internet. Your net will be slower than my dead grandma.
Have you tried it? I disable dns cache for years, never had a problem, it might add a few ms, but it will increase security against some DNS attacks, like in this case using DNS cache poisoning. When I click on the webpage, it usually opens within 2-3 secs and I am using a slow DNS, because it does a lot of filtering. Average respond time for the fastest DNS without cache is ~41ms. DNS cache is for slow connections.
 

Attachments

  • Like
Reactions: Sunshine-boy

yitworths

Level 10
Verified
I'm using simple DNS crypt vultr.com server.( i already disabled DNS cache) so is it Bulletproof or no?:D
what about the browser itself? shouldn't browser block the fake website? shouldn't https everywhere extension block the fake website and alert me?
disabling dns cache will do the trick. & regarding browser, I do pentest or better to say I used to pentest. Generally to check hotspot security, I used to do MITM with fake dns resolver & through that I used to load a webpage. Most browsers didn't identify the page as threat or suspicious except Yandex browser. Which identified the page as suspicious. Actually most browsers rely upon dns query so if you spoof dns browser won't detect any difference.

& regarding https everywhere extension, the answer is no. btw, is there anything as such feature in that extension? it checks cert as far as I know.

DNS is kinda transaction ID for every website. Lets say, if tomorrow x website changes its ip to something else then if you search x you will get x only based upon certain transaction id. & now if I have that transaction id then I can make any website lookalike x & your browser won't find any difference. Loosely speaking, lets say your name is sb we all know you by sb & we have certain idea about you. Now if someone ask me about sb whom I will refer to if I only know one sb.But,that doesn't mean he/she is talking about you.
Every dns query is something like that.
Do you how insecure wifi passphrase is? To crack a hotspot passphrase, I need just d handshake & enough resource to run a password generator. The bigger d password & mixed d password d more safe it is. But that doesn't mean it is unhackable. Same goes for DNS, they didn't repair DNS .They did just change d query system, so the process (attack) which might take several seconds to minutes now will take several weeks to months. & if your DNS uses randomization it will be much more resistant against this kinda attack.
Hope,it helps.
 
Last edited:

yitworths

Level 10
Verified
When I click on the webpage, it usually opens within 2-3 secs
Are you sure? After disabling dns cache, webpage loads within 2sec even with several filtration. Man there is something missing. If you disable dns cahe it will increase latency & I don't have to tell what that will do.
Two kinda caching happen, one is client(local) level & another is server(remote) level. I'm not sure whether disabling only client level caching will mitigate this problem.
 

yitworths

Level 10
Verified
how can I find that?
that's tricky. Randomization is dns specific, that is who has designed it, can tell you. Many dns responds to the different queries through same or predictable way. Those dns may fall victim to this kinda attack too early. Allow me to make it clear that every dns is vulnerable to this attack if you keep open the dns to respond to those queries for a long time. Luckily,we don't do that by nature. Lets say I'm targetting you, I have to keep a connection to your dns server for a long time. Now if your dns responds in a certain pattern & it doesn't change it . Then I can continue d attack after disconnecting & re-connecting to your dns & there won't be any loss on my part. But if your dns responds differntly everytime, man I have to be immortal to spoof your dns.

Eset firewall also has an option that detects DNS spoofing
May be. Eset is reputable av, they don't make garbage. But I can't ensure it will defend you against dns spoof attack. DNS spoofing much more complex than it may look. Have you ever seen a large scale DNS cache-poisoning attack in recent news?
 
Last edited: