2

I'm wondering how trustworthy the data from a SRV record lookup is? I have a program that essentially could fall apart if someone were to be able to spoof the SRV response.

If not, are there any precautions that could be taken to make it trustworthy?

Lane Wagner
  • 57
  • 3
  • There isn't a lot you can do about it unless you are the DNS admin of the SRV record. Take a look at: https://www.icann.org/resources/pages/dnssec-qaa-2014-01-29-en – Red Cricket Sep 16 '18 at 18:46
  • Your question would be basically the same for any kind of records, so `SRV` ones have nothing special in that regard. You will also need to define "trustworthy" in that context. If you need to ensure the DNS reply comes from the true authoritative servers you need to have DNSSEC which has consequences both in the provisioning of the zone (creating RRSIG records, rotating keys, etc.) and in the resolving of it (you need a recursive validating nameservers, ideally locally) – Patrick Mevzek Sep 18 '18 at 16:55

2 Answers2

1

The only reliable solution to spoofing seems to be using secure DNS servers for lookup. Currently the secure DNS lookup is provided by many DNS providers eg. cloudflare.

mdeora
  • 3,326
  • 1
  • 15
  • 24
1

All DNS is completely insecure unless you're specifically using a secure DNS server with an encrypted protocol like DNSCrypt.

Even this may be insecure unless the server you're querying is the authoritative server for the requested resource. If it has to go off and ask another server, the link to the next server may or may not be secure.

Without encryption, everything can be modified and/or intercepted by an attacker like your ISP or anybody else along the way.

ISPs frequently intercept DNS queries in order to be "helpful", although they could just as easily be evil.

So the short answer to your question is "no". SRV lookups aren't secure and no other DNS queries are either.

If your application queries a DNS server you control, over a secure link, it should be fine. If you're just using whatever DNS your ISP provides, probably not.

Terry Carmen
  • 3,328
  • 1
  • 12
  • 26
  • DNSCrypt is certainly not the only way to do things like that. There is DNSSEC out there... You seem also to mix integrity/confidentiality with authentication which are two different things. A "secure link" (whatever that is) does not protect you against DNS spoofing. – Patrick Mevzek Sep 18 '18 at 16:53