Great article, I wanted to post a question, why don't we utilize IPv6 as part of the DNS solution where we can tie the responses to the DNS providers, this would not only enhance the communication stream but we could start utilizing the inherent AES256 ESP/AH IPSec capabilities that are pre-built inside the protocol.
I am not sure why we are hesitant to move to IPv6 or at least most of it, this would help address some if not most of the DNS issues due to the controls and counter-measures built into the protocol.
Reference (Sophos): IPv6 security benefits
IPv6 can run end-to-end encryption. While this technology was retrofitted into IPv4, it remains an optional extra that isn’t universally used. The encryption and integrity-checking used in current VPNs is a standard component in IPv6, available for all connections and supported by all compatible devices and systems. Widespread adoption of IPv6 will therefore make man-in-the-middle attacks significantly more difficult.
IPv6 also supports more-secure name resolution. The Secure Neighbor Discovery (SEND) protocol is capable of enabling cryptographic confirmation that a host is who it claims to be at connection time. This renders Address Resolution Protocol (ARP) poisoning and other naming-based attacks more difficult. And while not a replacement for application- or service-layer verification, it still offers an improved level of trust in connections. With IPv4 it’s fairly easy for an attacker to redirect traffic between two legitimate hosts and manipulate the conversation or at least observe it. IPv6 makes this very hard.
John,
Great article, I wanted to post a question, why don't we utilize IPv6 as part of the DNS solution where we can tie the responses to the DNS providers, this would not only enhance the communication stream but we could start utilizing the inherent AES256 ESP/AH IPSec capabilities that are pre-built inside the protocol.
I am not sure why we are hesitant to move to IPv6 or at least most of it, this would help address some if not most of the DNS issues due to the controls and counter-measures built into the protocol.
Reference (Sophos):
IPv6 security benefits
IPv6 can run end-to-end encryption. While this technology was retrofitted into IPv4, it remains an optional extra that isn’t universally used. The encryption and integrity-checking used in current VPNs is a standard component in IPv6, available for all connections and supported by all compatible devices and systems. Widespread adoption of IPv6 will therefore make man-in-the-middle attacks significantly more difficult.
IPv6 also supports more-secure name resolution. The Secure Neighbor Discovery (SEND) protocol is capable of enabling cryptographic confirmation that a host is who it claims to be at connection time. This renders Address Resolution Protocol (ARP) poisoning and other naming-based attacks more difficult. And while not a replacement for application- or service-layer verification, it still offers an improved level of trust in connections. With IPv4 it’s fairly easy for an attacker to redirect traffic between two legitimate hosts and manipulate the conversation or at least observe it. IPv6 makes this very hard.
Reference - https://www.sophos.com/en-u...
Todd