Linux Mint Forums

[sinstar]

Hello, I have a dedicated laptop only for banking (Mint 13) and I've been researching ways to make is as secure as possible. One of the potential threats people point out is DNS poisoning. Since the DNS translates URLs to IPs, will I be completely safe if I type/bookmark the IP itself rather than the URL in Firefox?
For example: "159.53.74.11" instead of "chase.com"

By typing the numeric address, do I really bypass querying the DNS database or is this a pointless stunt?

And if yes - can anyone recommend a secure method to translate URLs to IPs? Googling "url to ip" turns up tons of web services, but how do I know I can trust them?
Thanks!

[xenopeek]

Malicious persons could attack your ISP's DNS cache, and make www.yourbank.com go to the IP address of their choosing instead of to your bank (and then on that other IP address run a site looking like your bank so you will disclose your password for example). While that is not unheard of for home users, you are much more likely to run into such kinds of attacks when you are browsing from an Internet cafe or using a public Wi-Fi hotspot (like in an airport or certain hipster hangouts). On a public Wi-Fi hotspot one of the other visitors can easily attack everybody else on the same Wi-Fi connection.

Storing the IP address instead of the URL is perhaps one way to reduce the risk, but it is inconvenient as IP addresses for websites can and do change over time and you won't be able to trust any website for which you have not previously fetched the IP address on a connection you thought you could trust. Like, if you do an Internet search you won't be able to trust any of the websites returned in the search results...

A better way then is to use DNS Crypt. This encrypts the DNS traffic between your computer and the DNS server, and because DNS Crypt switches from your ISP's DNS to OpenDNS you are even more secure. I have a tutorial on how to set that up here: viewtopic.php?f=42&t=107096

[sinstar]

Wow, quick and detailed, thank you!

There's no way I'm ever using Wi-Fi to access a bank account, and certainly not from an internet cafe or anywhere public.
The machine is wired to my network's router - it's meant for home only. Both the router and laptop have wireless disabled by default, since I use it once in a blue moon anyway.

DNS Crypt looks like an awesome project and I'm definitely going to give it a try. Glad to hear there are folks working on this - I didn't even know it was possible to opt out of your ISP's resolution database!

[DrHu]

It is also possible that a commercial entity will rearrange/change their IP addresses at some point, so you may miss the connection or get an older one which could also be hijacked

But that said, companies tend to use an IP/DNS name for a long time, so possibly fairly unlikely..

There are some checks you can also use for dns names (lookups)
http://linuxpoison.blogspot.in/2011/01/ ... -host.html
--and some gui apps as well; usually network tools..