Jul 10, 2018 10:24 AM - 1 week, 5 days, 13 hours, 2 minutes, 49 seconds ago
– the aLTEr MiTM attack
These types of attacks are not only limited to LTE networks. 5G networks may also be vulnerable to these attacks in future – if they don’t institute integrity protection.
Protecting against these types of attacks?
DNS is foundational to how the internet works; before any app connects to its service, before any web browser connects to the web site, before any email is sent: a DNS lookup is performed. Traditional DNS is designed to be very quick, not secure.
DNS spoofing attacks can be prevented by adding security to DNS itself, leveraging encryption and intelligent policies for name resolution. One example of this is implementing RFC 7858 or RFC 8310. These RFC’s reference the use of DNS over Transport Layer Security (TLS) and DNS over Datagram TLS (DTLS).
DNS over TLS or DTLS will protect devices from the aLTEr attack, by providing encryption of the DNS traffic that includes integrity-protection. There have been articles on Google Android’s O release (aka: Oreo) enabling DNS over TLS out of the box, by default. This helps when the DNS servers the device is connecting to are leveraging DNS over TLS; but naturally, the DNS servers do get assigned by the network the device is connected to. Cloudflare’s DNS service does over DNS over HTTPS already, but not many clients are able to leverage it just yet.
Since this is my blog, I guess I’m entitled to share my opinion. From the testing results that I have seen, DNS over TLS has a bit too much overhead and is lacking the performance required by DNS. This is why DNS over DTLS makes more a little more sense to me. We saw this with “SSL VPN” (which is a misnomer, it’s actually a TLS VPN), and time sensitive traffic for voice over IP. Moving the VPN to DTLS instead of TLS increased the performance and made VoIP with VPN truly achievable.
Another possible solution would be to leverage DNS over HTTPS, which does interest a lot of people, especially those who may have malicious intentions, where the DNS requests from the app itself (most likely a Tor client or a browser) would be sent directly to a DNS server, leveraging an HTTPS communication. This is mostly theoretical at this juncture, as not many services enable DNS over HTTPS. Google DNS does enable this communication type, as does Cloudflare’s DNS service. However, not many (if any) clients or apps are built to leverage the service yet. Additionally, since HTTPS is leveraging TLS this would add the overhead of the TLS session, also.
DNSCrypt and the Cisco Security Connector for iOS
There is another, older option, which has successfully been implemented for quite some time already, known as DNSCrypt. Cisco Umbrella (the solution formerly known as OpenDNS) has been using DNSCrypt to secure DNS for many years.
Along these ...
(Click to add to search.)
**The statements and opinions expressed are solely those of the author and do not necessarily reflect those of this website or it's affiliates. The opinions expressed here should not be understood as advocated by or sanctioned by this website or it's affiliates. Information contained on this site is provided on an “as is” basis with no guarantees of completeness, accuracy, usefulness or timeliness and should not be relied upon. You use this website, information, and content at your own risk. This includes information and content linked to and from this website. Content displayed may contain copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to report the news, advance understanding of the issues, and discover content. We believe this constitutes fair use of any such copyrighted material. Content is removed on a case by case basis. To request that content be removed, contact us using the following form: Contact Us. 4Internet LLC, its members, owners, employees, contractors, customers, users, agents, affiliates, and/or assigns, will not be liabile for any damages.