Good reason to uses HOSTS file?

According to THIS article and others like it, DNS poisoning (a.k.a. pharming) is becoming rather more of a threat nowadays.

For example, I might want to do some online banking, so I browse to (hypothetical url] mybank.com. Unbeknownst to me, the DNS that provides the IP for mybank.com is poisoned, so it sends me to a web page that looks like mybank's but instead is a black hat's site. Thus, when I enter my private information, I am giving it to a black hat -- NOT my bank.

As to preventing such a nasty event, one method I have read about was to use my HOSTS file. That is, I add a HOSTS file entry for mybank.com that links mybank to their true IP. That way, when I seek to access mybank.com, HOSTS will do the dns job, and there will be no possibility of DNS poisoning.

I know of just one possible disadvantage -- namely, IPs sometimes get changed. Other than that, use of HOSTS seems like it might be a good way to avoid DNS poisoning for key/private transactions.

I request comments as to...

1- Your views on the "HOSTS solution to DNS poisoning"
AND/OR
2- Other equally good (or better) solutions.

 

Since the current vulnerability is widespread, it's probably best to address the DNS issue itself
and insure that your ISP's DNS Servers have been patched.

You can check here:

https://www.dns-oarc.net/oarc/services/dnsentropy

Until they are patched, an alternative solution is to use the OpenDNS servers.

References

DNS bug - observations
http://isc.sans.org/diary.html?storyid=4780

World's biggest ISPs drag feet on critical DNS patch
http://www.theregister.co.uk/2008/07/25/isps_slow_to_patch/

OpenDNS
http://www.opendns.com/how/dns/turning-names-into-numbers

 

I'm in a similar boat. I keep thinking that the best overall answer is getting behind a good set of DNS servers that's patched against the exploit that MS recently patched. Many websites use virtual hosting which translates to one IP address hosting several sites. IMO, a HOSTS file won't handle that very well (if at all.)

Also, it seems that most security certificates are based on domain names, not IP addresses. So, if you go to a site based on it's IP address (in order to avoid the DNS problem), your PC can't make the proper handshake for security. Which to me seems very counterproductive...

 

I agree that alternative DNS servers would provide the greater protection. HOST files change far too often and are still subject to attack themselves. One thing I would advise if you are so inclined, is to set up the optional free account that comes with OpenDNS so that you have access to the Dashboard. This allows you to set blocks for certain types of attacks and types of websites like known phishing sites and malware-infested ones, among other types. Just a suggestion though, I myself just pointed my system to their servers without making an account since I don't want any blocked websites and have protection (web-scanning AV and such) against malware/phishing.

 

@Rmus- Grrrreat links! I've used OpenDNS for quite a long while. It tests "Great" with the link you provided.

@All- Thanks to all. I am learning a lot from this thread.

 

Not quite. What you mentioned is true when entering a site's IP address directly in to the web browser, but not when using a HOSTS file entry.

The only main difference is where the domain name's IP address is resolved from. If there's a HOSTS entry for the domain, the IP is resolved locally from the hosts file rather than remotely via DNS servers (which may potentially be poisoned). Other than that, everything will be operational as long as the HOSTS entry is correct.

 

Hello,
Actually, you cannot use name-based virtualhosts for security, because the authentication takes places before name translation ... so in this case ip would work - and I won't repeat my mantra about hosts file.
Mrk

 

I want to make sure I understand this correctly... A security certificate cannot be assigned to a virtual hosted site? It's required for the certifcate to be tied to a specific IP address?

 

Hello,
Yes it can, but IP based.
IP's can be virtual though virtual devices like eth0:0 eth0:1 etc, a neat trick.
Mrk

 

eth0:0 eth0:1 etc?? Aren't those unique to linux?

 

Hello,
Don't know about Windows, but if you run a web server and you want virtual network adapters, the chances are you'll run Apache on a *nix platform.
Mrk

 

"I see," said the blind man. 10Q Mrk-san

 

Acknowledged, bellgamin-hoahanau
Mrk

 

Another good site for checking whether your DNS server is secure is located in the top of the right-side column at the website of Dan Kaminsky, one of the discoverers of the DNS poisoning flaw. Dan's blog at that same link gives a LOT of good background info & suggestions.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Here is a comparison between using a shortcut to (e.g.) mybank.com versus using HOSTS (which I quote from another forum)...

To check a site's certificate when using Firefox browser>>> Right-click on a blank section of the web page then click "Page Info" -- that will give security info about the page you are viewing. See screenies below.

 

Can anyone advise me in what I can do when I receive these messages whilst checking DNS server vulnerabilities:

This one:

Your name server, at 194.109.xxx.xxxxx, appears to be safe, but
make sure the ports listed below aren't following an obvious
pattern 1001, :1002, :1003, or :30000, :30020,
:30100...).Requests seen for a3d7e4e1a9fc.toorrr.com:
194.109.21.251:57926 TXID=20325
194.109.21.251:61320 TXID=48354
194.109.21.251:52602 TXID=45692
194.109.21.251:55552 TXID=34849
194.109.21.147:4177 TXID=59681

Or this one?:

Your name server at 194.x.x.x, may be safe, but the
NAT/Firewall in front of it appears to be interfering with
its port selection policy. The difference between largest
port and smallest port was only 24.

 

I recommend that you start a new topic under the Other Firewalls category, and ask your questions there. That topical category is most often visited by folks with the know-how to answer your questions.

For clarity, I suggest you include the link to the site with the DNS checker.

 

Thanks Bellgamin. I started a new topic in the Other Firewalls category.

 

Hello,
What's so special about august 7th?
Mrk

 

@OP Bellgamin
I rememberered somewhere where BOC had done interesting things re my host file when I had it configed a certain way

KMcA made this post at the time which has his "flavour" present

Thought you might be interested in his view, not sure how it pans out with respect to the recent DNS issues ??
https://www.wilderssecurity.com/showthread.php?t=108368

Also goes to a core issue with configuration of BOC
https://www.wilderssecurity.com/showthread.php?t=216375

 

Someone spoiled his moments of fame.

See LoneWolf's thread, Hackers start DNS attacks:
https://www.wilderssecurity.com/showthread.php?t=216498

Other threads:

With DNS Flaw Now Public, Attack Code Imminent
http://www.dslreports.com/forum/r20833863-With-DNS-Flaw-Now-Public-Attack-Code-Imminent

Exploit Code for Kaminsky DNS Bug Goes Wild
http://www.dslreports.com/forum/r20843454-Exploit-Code-for-Kaminsky-DNS-Bug-Goes-Wild

DNS Disaster First Attacks Reported
http://www.dslreports.com/forum/r20872206-DNS-Disaster-First-Attacks-Reported


---