Supporting secure DNS in glibc
| Did you know...? LWN.net is a subscriber-supported publication; we rely on subscribers to keep the entire operation going. Please help out by buying a subscription and keeping LWN on the net. |
One of the many weak links in Internet security is the domain name system (DNS); it is subject to attacks that, among other things, can mislead applications regarding the IP address of a system they wish to connect to. That, in turn, can cause connections to go to the wrong place, facilitating man-in-the-middle attacks and more. The DNSSEC protocol extensions are meant to address this threat by setting up a cryptographically secure chain of trust for DNS information. When DNSSEC is set up properly, applications should be able to trust the results of domain lookups. As the discussion over an attempt to better integrate DNSSEC into the GNU C Library shows, though, ensuring that DNS lookups are safe is still not a straightforward problem.
In a sense, the problem was solved years ago; one can configure a local nameserver to perform full DNSSEC verification and use that server via glibc calls in applications. DNSSEC can even be used to increase security in other areas; it can, for example, carry SSH or TLS key fingerprints, allowing applications to verify that they are talking to the right server. Things get tricky, though, when one wants to be sure that DNS results claiming to have DNSSEC verification are actually what they claim to be — when one wants the security that DNSSEC is meant to provide, in other words.
The /etc/resolv.conf problem
Part of the problem, from the glibc perspective, is that glibc itself does not do DNSSEC verification. Instead, it consults /etc/resolv.conf and asks the servers found therein to do the lookup and verification; the results are then returned to the application. If the application is using the low-level res_query() interface, those results may include the "authenticated data" (AD) flag (if the nameserver has set it) indicating that DNSSEC verification has been successfully performed. But glibc knows nothing about the trustworthiness of the nameserver that has provided those results, so it cannot tell the application anything about whether they should really be trusted.
One of the first steps suggested by glibc maintainer Carlos O'Donell is to add an option (dns-strip-dnssec-ad-bit) to the resolv.conf file telling glibc to unconditionally remove the AD bit. This option could be set by distributions to indicate that the DNS lookup results cannot be trusted at a DNSSEC level. Once things have been set up so that the results can be trusted, that option can be removed. In the meantime, though, applications would have a way to judge the DNS lookup results they get from glibc, something that does not exist now.
What would a trustworthy setup look like? The standard picture looks something like this: there is a local nameserver, accessed via the loopback interface, as the only entry in /etc/resolv.conf. That nameserver would be configured to do verification and, in the case that verification fails, simply return no results at all. There would, in almost all cases, be no need to worry about whether applications see the AD bit or not; if the results are not trustworthy, applications will simply not see them at all. A number of distributions are moving toward this model, but the situation is still not as simple as some might think.
One problem is that this scheme makes /etc/resolv.conf into a central point of trust for the system. But, in a typical Linux system, there are no end of DHCP clients, networking scripts, and more that will make changes to that file. As Paul Wouters pointed out, locking down this file in the short term is not really an option. Sometimes those changes are necessary: when a diskless system is booting, it may need name-resolution service before it is at a point where it can start up its own nameserver. A system's entire DNS environment may change depending on which network it is attached to. Systems in containers may be best configured to talk to a nameserver on the host. And so on.
So there seems to be a general belief that /etc/resolv.conf cannot really be trusted on current systems. Ideas to add secondary configuration files (/etc/secure-resolv.conf or whatever) have been floated, but they don't much change the basic nature of the situation. Beyond that, some participants felt that even a local nameserver running on the loopback interface is not really trustworthy; Zack Weinberg suggested that administrators might intentionally short out DNSSEC validation, for example.
Since the configuration cannot be trusted on current systems, the reasoning goes, glibc needs to have a way to indicate to applications when the situation has improved and things can be trusted. That could include the AD-stripping option described above (or, conversely, an explicit "this nameserver is trusted" option); that, of course, would require that the system be locked down to a level where surprising changes to /etc/resolv.conf no longer happen. A variant, as suggested by Petr Spacek, is to have a way for an application to ask glibc whether it is talking to a local nameserver or not.
Do it in glibc?
An alternative would be to dispense with the nameserver and have glibc do DNSSEC validation itself. There is, however, resistance to putting a big pile of cryptographic code into glibc itself. That would increase the size of the library and, it is felt, increase the attack surface of any application using it. A variant of this idea, suggested by Zack, would be to put the validation code into the name-service caching daemon (nscd) instead. Since nscd is part of glibc, it is under the control of the glibc developers and there could be a certain amount of confidence that DNSSEC validation is being performed properly. The location of the nscd socket is well known, so the /etc/resolv.conf issues don't come into play. Carlos worried, though, that this approach might deter adoption by users who do not want the caching features of nscd; in his mind, that seems to rule out the nscd option.
So, in the short term, at least, it seems unlikely that glibc will take on the full task of performing validated DNSSEC lookups. That means that, if security-conscious applications are going to use glibc for their name lookups, the library will have to provide an indication of how trustworthy the results received from a separate nameserver are. And that will almost certainly require explicit action on the part of the distributor and/or system administrator. As Simo Sorce put it:
Configuring a system to properly use DNSSEC involves change to many of the components of that system — it is a distribution-wide problem that will take time to solve fully. The role that glibc plays in this transition is likely to be relatively small, but it is an important one: glibc is probably the only place where applications can receive some assurance that their DNS results are trustworthy without implementing their own resolver code. Running multiple DNSSEC implementations on a system seems like an unlikely path to greater security, so it would be good to get this right.
The glibc project has not yet chosen a path by which it intends to get
things right, though some sort of annotation in /etc/resolv.conf
looks like a likely outcome. Any such change would then have to get into
a release; given the conservative nature of glibc development, it may
already be late for the 2.23 release, which is likely to happen in
February. So higher DNSSEC awareness in glibc may not happen right away,
but there is at least some movement in that direction.
| Index entries for this article | |
|---|---|
| Security | DNSSEC |
(Log in to post comments)
Supporting secure DNS in glibc
Posted Nov 18, 2015 23:05 UTC (Wed) by josh (subscriber, #17465) [Link]
Supporting secure DNS in glibc
Posted Nov 19, 2015 1:41 UTC (Thu) by wahern (subscriber, #37304) [Link]
The issue here is playing nice with non-glibc resolvers, like c-ares, adns, and the untold number of similar resolvers floating around. Not to mention non-systemd DHCP clients and other code that manipulates /etc/resolv.conf directly.
The resolved approach also effectively moves the real query code outside the library and into the local [systemd] resolver. But per the article glibc wasn't prepared to always assume the local resolver to be trusted, presumably reasoning that trusting unrelated processes is not something they're prepared to do. Obviously this not reasoning that systemd folk would agree with. But the underlying judgments relate to stances on portability, standards conformance (POSIX, historical, etc), forwards and backwards compatibility, and ultimately where the real interface boundaries should be. Which is basically the whole systemd debate in a nut shell. And perhaps why systemd has felt compelled (rightly or wrongly, for better or worse) to buildup an entire parallel ecosystem of infrastructure software--DNS, NTP, DHCP, etc.
Supporting secure DNS in glibc
Posted Nov 20, 2015 8:27 UTC (Fri) by pr1268 (subscriber, #24648) [Link]
it just defines it away by obsoleting /etc/resolv.conf, or at least making it read-only and always pointing to 127.0.0.1.
Oh, PLEASE don't take away my resolv.conf—I (ab)use it by adding some 0.0.0.0 entries to get ad.doubleclick.net (and some others) to STFU when web-browsing.
Supporting secure DNS in glibc
Posted Nov 20, 2015 8:43 UTC (Fri) by zdzichu (subscriber, #17118) [Link]
Note that there is also nsswitch.conf, which governs sources and their order. /etc/hosts is "files" source, while resolv.conf is used by for example "dns" source.
Supporting secure DNS in glibc
Posted Nov 21, 2015 5:06 UTC (Sat) by pr1268 (subscriber, #24648) [Link]
You put this in resolv.conf, not in /etc/hosts? Are you sure?
I stand corrected. Not sure what I was thinking when I typed that... :-\
Supporting secure DNS in glibc
Posted Nov 20, 2015 20:51 UTC (Fri) by josh (subscriber, #17465) [Link]
Supporting secure DNS in glibc
Posted Nov 20, 2015 21:36 UTC (Fri) by flussence (subscriber, #85566) [Link]
In practice I've found that things filtering on source/destination host pairs (NoScript, RequestPolicy, Policeman, uMatrix) are good enough 90% of the time, and closer to 99% if you add content type to the filter. In Chromium-based browsers there's even a special fast path for this specific use case.
Having said that, I also took the malware/spam hosts lists in uMatrix and converted them to empty BIND zones for my LAN. A bit of defence in depth can't hurt.
Supporting secure DNS in glibc
Posted Nov 23, 2015 2:55 UTC (Mon) by edmonds42 (guest, #42670) [Link]
I have an SSID on my home network especially for Android devices on which the DNS server handed out by DHCP is a local Unbound server configured with a hosts file style blacklist. It does a great job killing both in-browser and in-app ads.
Supporting secure DNS in glibc
Posted Dec 3, 2015 1:16 UTC (Thu) by luto (subscriber, #39314) [Link]
I've yet to see a convincing reason why hooking at the NSS level (like libnss-resolve does) is any better than speaking the DNS protocol directly (like unbound would do). There's a straightforward respect in which it's worse, thouggh: the unbound approach works with all the non-glibc third-party asynchronous resolvers.
(Of course, both approaches will want some way to signal to apps that the local resolver is validating, but I think they're on equal footing there in that neither one actually succeeds without library and API changes.)
Supporting secure DNS in glibc
Posted Dec 3, 2015 6:46 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]
Supporting secure DNS in glibc
Posted Dec 3, 2015 17:56 UTC (Thu) by flussence (subscriber, #85566) [Link]
It's a pretty dire situation when an average Linux desktop has more ways of looking up a hostname than graphical toolkits installed.
I wish someone would come along and do for gethostbyname() what sqlite did for fopen() - a library that doesn't suck and offers *no* excuses for not using it.
Supporting secure DNS in glibc
Posted Nov 19, 2015 10:50 UTC (Thu) by runekock (subscriber, #50229) [Link]
If you want secure DNS, the administrator needs to set up the system with a trustworthy resolv.conf. If you can't trust the admin to do that, how can you fix that at the application level?
Supporting secure DNS in glibc
Posted Nov 19, 2015 15:05 UTC (Thu) by smoogen (subscriber, #97) [Link]
Supporting secure DNS in glibc
Posted Nov 19, 2015 15:26 UTC (Thu) by anselm (subscriber, #2796) [Link]
This is why you want a validating resolver on your own machine.
Supporting secure DNS in glibc
Posted Nov 20, 2015 2:51 UTC (Fri) by gerdesj (subscriber, #5446) [Link]
... or a VPN back to base which has trusted DNS servers. This has the bonus of working for all your users without having to maintain multiple funky resolvers. Either method will work - I do both for myself but my staff (who generally wouldn't know what a resolver is) get a (Open)VPN which forces all traffic via base.
"Secure" DNS?
Posted Nov 19, 2015 14:58 UTC (Thu) by civodul (guest, #58311) [Link]
"Secure" DNS?
Posted Nov 20, 2015 7:44 UTC (Fri) by kleptog (subscriber, #1183) [Link]
"Secure" DNS?
Posted Nov 24, 2015 20:03 UTC (Tue) by shane (subscriber, #3335) [Link]
Nevertheless, Snowden did give the IETF a wake-up call and work is proceeding. There is the excellent RFC 7626 by Stephane Bortzmeyer which covers the problem space:
https://www.rfc-editor.org/info/rfc7626
As far as actual standards work, there is DPRIVE, the DNS Privacy working group, which was chartered recently to tackle some of these issues. Current work focuses on moving DNS over TLS or the UDP variant thereof (DTLS). It's not enough, but we are adding more tools to protect against pervasive monitoring via DNS. Sadly a 30 year old protocol is hard to update....
Supporting secure DNS in glibc
Posted Nov 19, 2015 18:44 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]
Supporting secure DNS in glibc
Posted Nov 19, 2015 19:52 UTC (Thu) by cstrotm (subscriber, #55963) [Link]
Supporting secure DNS in glibc
Posted Nov 19, 2015 19:58 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]
Supporting secure DNS in glibc
Posted Nov 19, 2015 23:47 UTC (Thu) by edmonds42 (guest, #42670) [Link]
draft-hoffman-dprive-dns-tls-https is probably the draft you're looking for, then.
Supporting secure DNS in glibc
Posted Nov 20, 2015 3:46 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]
I think that HTTP[S] tunneling should only solve the problem of filtering middleboxes and DNSSEC should be used for everything else.
Supporting secure DNS in glibc
Posted Nov 20, 2015 3:51 UTC (Fri) by edmonds42 (guest, #42670) [Link]
Ah, sounds like you also might be interested in draft-ietf-dnsop-dnssec-roadblock-avoidance, then.
Supporting secure DNS in glibc
Posted Nov 19, 2015 21:42 UTC (Thu) by neilbrown (subscriber, #359) [Link]
I think Cyberax suggested using HTTPS to get authentication, but that draft seems to only talk about using SSL to get privacy.
I don't think HTTPS is the best choice for authentication though made it is so widely used that it is OK.
Would it make sense to put a public key in resolv.conf and configure your trusted DNS server (whether on localhost or in the machine room or whatever) to sign all verified responses with the matching public key?
Then a relatively small amount of crypto code in glibc could verify local responses.
Supporting secure DNS in glibc
Posted Nov 19, 2015 23:44 UTC (Thu) by edmonds42 (guest, #42670) [Link]
I think Cyberax suggested using HTTPS to get authentication, but that draft seems to only talk about using SSL to get privacy.
draft-ietf-dprive-dns-over-tls-01 specifies two different usage profiles in section 4, "Opportunistic Privacy Profile" and "Pre-Deployed Profile". The pre-deployed profile requires that the server be authenticated.
Would it make sense to put a public key in resolv.conf and configure your trusted DNS server (whether on localhost or in the machine room or whatever) to sign all verified responses with the matching public key?
Then a relatively small amount of crypto code in glibc could verify local responses.
The short answer is: don't design your own cryptosystem, it will look bad when cryptographers review it.
There have been a few attempts at adding non-TLS crypto privacy to stub lookups, e.g. DNSCrypt, draft-wijngaards-dnsop-confidentialdns, and draft-krecicki-dprive-dnsenc. Probably the most successful of those so far is DNSCrypt (e.g., see OpenDNS's deployment), but even that one relies on a local proxy daemon.
There are a few IETF-standardized DNS extensions that allow crypto authentication for lookups, TSIG and SIG(0). But these are rarely used (the big problem is key distribution) and don't provide privacy. (TSIG is probably more familiar to people as a mechanism used to protect DNS zone transfers.)
Supporting secure DNS in glibc
Posted Nov 20, 2015 3:44 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]
And then trusted DNS information can be used by other layers.
Supporting secure DNS in glibc
Posted Nov 20, 2015 22:16 UTC (Fri) by imMute (guest, #96323) [Link]
Supporting secure DNS in glibc
Posted Nov 21, 2015 5:40 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link]
Supporting secure DNS in glibc
Posted Nov 19, 2015 23:09 UTC (Thu) by edmonds42 (guest, #42670) [Link]
Hi,
I have a few brief comments.
It looks like these two proposals come down to implementing what the DNSSEC RFCs call a "Non-Validating Security-Aware Stub Resolver" (the first proposal described in the article) and a "Validating Security-Aware Stub Resolver" (the second proposal). Here are the definitions from RFC 4033:
Non-Validating Security-Aware Stub Resolver: A security-aware stub
resolver that trusts one or more security-aware recursive name
servers to perform most of the tasks discussed in this document
set on its behalf. In particular, a non-validating security-aware
stub resolver is an entity that sends DNS queries, receives DNS
responses, and is capable of establishing an appropriately secured
channel to a security-aware recursive name server that will
provide these services on behalf of the security-aware stub
resolver. See also security-aware stub resolver, validating
security-aware stub resolver.
Non-Validating Stub Resolver: A less tedious term for a
non-validating security-aware stub resolver.
[...]
Validating Security-Aware Stub Resolver: A security-aware resolver
that sends queries in recursive mode but that performs signature
validation on its own rather than just blindly trusting an
upstream security-aware recursive name server. See also
security-aware stub resolver, non-validating security-aware stub
resolver.
Validating Stub Resolver: A less tedious term for a validating
security-aware stub resolver.
The first definition refers to "an appropriately secured channel", which is further mentioned in RFC 4035:
4.9.3. Handling of the AD Bit A non-validating security-aware stub resolver MAY chose to examine the setting of the AD bit in response messages that it receives in order to determine whether the security-aware recursive name server that sent the response claims to have cryptographically verified the data in the Answer and Authority sections of the response message. Note, however, that the responses received by a security-aware stub resolver are heavily dependent on the local policy of the security-aware recursive name server. Therefore, there may be little practical value in checking the status of the AD bit, except perhaps as a debugging aid. In any case, a security-aware stub resolver MUST NOT place any reliance on signature validation allegedly performed on its behalf, except when the security-aware stub resolver obtained the data in question from a trusted security-aware recursive name server via a secure channel. A validating security-aware stub resolver SHOULD NOT examine the setting of the AD bit in response messages, as, by definition, the stub resolver performs its own signature validation regardless of the setting of the AD bit.
The RFCs generally treat the "stub resolver" and applications that rely on the stub resolver as separate components that communicate via an interface, and this is true enough if you are using high-level interfaces like getaddrinfo(), but in practice on GNU/Linux and *BSD systems this abstraction becomes very leaky when you want to do anything other than an address lookup (A/AAAA). On Linux systems, the DNS "stub resolver" consists of the res_*() functions and related ns_*() and dn_*() helper functions, which are provided by a separate library libresolv, which is shipped by glibc.
glibc's libresolv is very old. As near as I've been able to track down, it's a cut down version of the "libbind" stub resolver that was included with CSRG BSD, BIND 4, BIND 8, and BIND 9 (up until BIND 9.6.0, when it was removed). glibc first(?) imported this code from BIND 4.9.1 in May 1993, and periodically synchronized with the upstream codebase until the last update from BIND 8.2.3-T5B in July 2000, at which point it continued to evolve independently in glibc. This is why if you execute libc.so.6 glibc will print out BIND-8.2.3-T5B as an "available extension". (The upstream codebase is still kicking around; ISC split it out into a standalone "libbind" distribution when it was removed from BIND 9.6.0, and it was later adopted from ISC by the NetBSD project a few years ago where it was renamed to "netresolv".)
(A digression: parts of the nss_dns code in glibc, which interfaces libresolv to the glibc Name Service Switch, is similarly old and descended from CSRG on stone tablets. This code in its modern glibc form is not easy to read; to take a cherry-picked example, this 2007 commit [corresponding bug report BZ#4381] introduced a vulnerability which was later fixed in this 2015 commit, [corresponding bug report BZ#18287] resulting in CVE-2015-1781, which could have been exploited remotely by malformed DNS response packets under certain conditions. If you're a moderately skilled C programmer who only rarely ventures into the glibc codebase, your reaction to reading these diffs will probably be similar to this fellow, or perhaps this one. This code is seriously hard to read. Fortunately, it appears this bug wasn't likely to be exploitable in practice, at least in instances of calling code which were audited. According to Florian Weimer, then of Red Hat Product Security: "This can only happen if these functions are called with a misaligned buffer. I looked at quite a bit of source code, and tested applications with a patched glibc that logs misaligned buffers. I did not observe any such misaligned buffers.")
The res_* interface is not very fun to use. The result returned by the res_query(), res_search(), and res_send() functions is a bare DNS protocol wire-format message which must be parsed by the application. libresolv offers a number of ns_*() functions (ns_initparse(), ns_parserr(), etc.) that don't quite amount to a parser, but are rather a collection of helper functions that can be used to construct a parser. The ns_*() functions aren't fully documented on GNU or even BSD systems, though; the best API reference available is probably contained in chapter 15 of the O'Reilly "DNS and BIND" book. Here is a trivial example I wrote of using this interface to parse a DNS SRV response. Note how the caller is responsible for checking that the resource record is well-formed and for knowing the precise layout of the data fields within the SRV resource record. In practice, the ns_*() functions tend to be avoided by applications that use the res_*() interface to perform lookups. A good example is the Postfix MTA, which uses the res_*() functions to send a query, but implements its own wire-format message parser. Debian Code Search finds only 34 packages with ns_parserr references, though not all of these instances are actual users of the interface.
Taking the Postfix example, Postfix together with libresolv participate jointly in the parsing of the DNS message, and in particular Postfix examines the AD bit, which arguably puts that application code within the boundary of what the DNSSEC RFCs call the "non-validating security-aware stub resolver". RFC 4035 specifically says, "In any case, a security-aware stub resolver MUST NOT place any reliance on signature validation allegedly performed on its behalf [i.e., the AD bit], except when the security-aware stub resolver obtained the data in question from a trusted security-aware recursive name server via a secure channel." Postfix tries to conform with that "MUST NOT" by warning that it's the sysadmin's responsibility to configure the system's resolver correctly. (BTW, there is a comment in the Postfix codebase that they might make libunbound, a validating stub resolver library, a mandatory dependency, which would allow Postfix to do its own validation.)
Another example is the OpenSSH client on Debian and Fedora systems, which is compiled without ldns support. In order to look up SSHFP records it uses the res_*() interface with RES_USE_EDNS0|RES_USE_DNSSEC and examines the AD-bit, and it also uses its own DNS message parsing implementation rather than relying on libresolv's ns_*() interface.
If I understand correctly, since e.g. Postfix and OpenSSH currently assume the AD-bit is trustworthy, the AD-bit stripping proposal described in this article amounts to declaring that the glibc stub resolver does not always obtain its data from "a trusted security-aware recursive name server via a secure channel", and if there were some way to determine that the system's upstream resolver is both trustworthy and that the system communicates with it over a secure channel, the AD-bit could be unmasked. Both of those determinations are pretty hard to evaluate, and to communicate to relying processes with the existing APIs/ABIs. Especially when those relying processes might use their own stub resolver (e.g., adns, c-ares) and the only ABI you have is the contents of the /etc/resolv.conf file.
The second proposal described in the article appears to be to add a "Validating Security-Aware Stub Resolver" to glibc, which is the "trust, but verify" (i.e., don't trust) mode, where the stub resolver on the end host is responsible for performing the cryptographic validation itself. However, since DNSSEC validation requires obtaining additional DNS records this results in short-lived processes spamming the upstream resolver with more DNS queries. Reducing this query spam requires either a local cache, and/or the deployment of a proposal like draft-ietf-dnsop-edns-chain-query. Moreover, in-process validation would result in pulling in a heavyweight library like libunbound, which may spawn threads, perform long-lived heap allocations for its cache, load hairy crypto libraries like OpenSSL into the process, etc. As a proof-of-concept, a few years ago I attempted an nss-ubdns module for the Name Service Switch that could replace nss_dns and use libunbound rather than libresolv for DNS resolution. This turned out to be very crashy in practice with nontrivial applications like Firefox, and I lost interest in the approach.
There are also developments on the horizon that lean towards having a local daemon on the system: the IETF's DNS PRIVate Exchange (DPRIVE) working group is coalescing around proposals to protect the privacy of the "last mile" of DNS with TLS and/or D(TLS) sessions between stub resolvers and recursive DNS servers. (IANA has provisionally allocated TCP/UDP port 853 for this.) To scale, this is going to require maintaining a long-lived session with the recursive DNS server, to minimize the overhead and latency of TCP and TLS session initiation. That means the end host's stub resolver needs to have a nearby long-lived daemon somewhere between it and the recursive DNS server. Probably that means something like a local unbound instance on the system operating in forwarding mode and speaking the port 853 protocol to its upstream resolver.
Finally, folks writing new applications that want to rely on DNSSEC-authenticated resource records from the DNS are unlikely to want to rely on the old resolver interface, even if eventually bleeding edge versions of the glibc resolver grow the capability to tell the caller that the results are trustworthy. (What do you do if you're running on an older glibc version, or the distro you're running on hasn't set things up properly, or you're on a BSD, etc.) Easier to add an external dependency on something like getdnsapi, which currently only has a libunbound backend but will hopefully have an alternate implementation provided by a library form of CZ.NIC's Knot Resolver.
Why Do We Need Secure DNS, Again?
Posted Dec 8, 2015 21:49 UTC (Tue) by ldo (guest, #40946) [Link]
Given this, why do we care about DNS security?
Why Do We Need Secure DNS, Again?
Posted Dec 9, 2015 1:23 UTC (Wed) by flussence (subscriber, #85566) [Link]
Why Do We Need Secure DNS, Again?
Posted Dec 9, 2015 9:01 UTC (Wed) by paulj (subscriber, #341) [Link]