Hacker News new | past | comments | ask | show | jobs | submit login

How would you MITM their connection to the DNS servers, though?

You don't need to MITM, if you can predict the request and get your spoofed response in faster than the real server.

If the server randomizes both the Query-ID and source port, the attacker has less than 1/100000000 chance of sending a valid reply: http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html#fi...

An attacker can send more than one packet, and likely make multiple attempts to 'verify' the domain under attack. If the attack window is 1 second, and an attacker can source 1 million (spoofed) packets per second, and the server is using the full space for source port and query ids, and there's a single resolver, the attacker can get a cert fraudulently issued about 1 out of 4000 times.

DNSSEC makes that much harder, so it's nice that their resolvers are using it.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact