Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

BIND implements DNS-over-HTTPS to offer enhanced privacy

Developers of the widely used, open source BIND DNS server software have added preliminary support for DNS-over-HTTPS (DoH) to the technology.

Support for DoH has been added to the BIND 9 nameserver 9.17.10, a development version of the technology. A backport to the stable (mainstream) is 9.16.x, planned after the current build dependency on the nghttp2 library is made optional.

Needing DoH

DoH is a foundational technology for building greater privacy into surfing the web and other activities on the internet. Application of the DoH protocol involves enclosing DNS traffic inside HTTPS packets.

This layer of encryption guards against snooping on the websites consumers are visiting, blocking some aspects of ad tracking as well as protecting against message modification – a benefit in defending against manipulator in the middle (MitM) attacks.

DoH is also a stepping stone in the deployment of Encrypted Client Hello (ECH), a technology that encrypts the handshake between clients TLS servers so that sensitive metadata is kept secret.

BIND – which is developed by the Internet Systems Consortium (ISC) – already supports DNS-over-TLS (DoT), an alternative to DoH that offers similar privacy-enhancing benefits.

Following the latest (experimental or prototype) release, a BIND server can accept conventional DNS queries as well as those based on either DoT or DoH.

“Which transport is used for an individual client query depends on what the client uses to contact BIND,” a blog post by the ISC explains. “Starting from this release we have a specialised HTTP/2 server built into BIND specifically to serve DNS-over-HTTPS queries.”

Server-side only

BIND’s support for DoH remains server-side only at present, though work on client side technology is already underway. The server-side release was tested using Mozilla Firefox among other DoH clients.

The DoH implementation from BIND already boasts some unique features including the ability to offload TLS encryption to another server.

BIND’s blog post goes on to explain the benefits of this feature as well as how to set up DNS-over-HTTPS using its technology. The post also offers a good summary of the overall benefits of DoH as well as dealing with some of the criticisms of the technology.

And another thing…

The latest BIND release for developers also includes a fix for a buffer overflow vulnerability (CVE-2020-8625).

BIND’s implementation of SPNEGO, a negotiation mechanism used by GSSAPI, the application protocol interface for GSS-TSIG, is flawed.

The vulnerability creates a mechanism to crash the process and, although unproven, the possibility to trigger remote code execution.

“Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers,” ISC advises.

Advertisement. Scroll to continue reading.

GSS-TSIG is an extension to the TSIG protocol that designed to support the secure exchange of keys.

Users are advised to upgrade to the patched release most closely related to your current version of BIND, such as BIND 9.11.28 or BIND 9.16.12.

Source: https://portswigger.net/daily-swig/bind-implements-dns-over-https-to-offer-enhanced-privacy

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Google has announced the first open-source quantum resilient FIDO2 security key implementation, which uses a unique ECC/Dilithium hybrid signature schema co-created with ETH Zurich....

Cyber Security

Security researchers have dissected a recently emerged ransomware strain named ‘Big Head’ that may be spreading through malvertising that promotes fake Windows updates and Microsoft Word...

Business News

FILE – A sign outside the National Security Administration campus in Fort Meade, Md., is seen June 6, 2013. The American public is broadly...

Cyber Security

Proposed legislation would require the Department of Homeland Security to “evaluate risks posed to national security and civilian privacy” by the online release of...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO