IETF Logo Mail Archive

[Add] On the topic of routers doing dns with DC

Paul Wouters <paul@nohats.ca> Thu, 21 March 2024 21:03 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B87B2C14F680 for <add@ietfa.amsl.com>; Thu, 21 Mar 2024 14:03:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.102
X-Spam-Level:
X-Spam-Status: No, score=-7.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e3H8AH3s0P-S for <add@ietfa.amsl.com>; Thu, 21 Mar 2024 14:03:11 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A18EC14F605 for <add@ietf.org>; Thu, 21 Mar 2024 14:03:11 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4V0ybb3hnYzFG6 for <add@ietf.org>; Thu, 21 Mar 2024 22:03:07 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1711054987; bh=JVH9FhRnJiF3IfiCnEMI2CpR6BNVsEEpK+arEnoeOLY=; h=From:Date:Subject:To; b=pyf0kKdPKmeVLnpxezEsaUmuIrMNxkxQFv24BEgWb9uawdrJ7WlUhYleVwuPbLs5T moFHhKYIbD/WJBq5XHzs9yqNeRK4XKLMyGrTjFE20z4ugOe19Vmu1pHgt+BbUDXCgH NZdphYaIpBo8a4K6/XJKP8AsokrKNMaMJLJALioY=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id MvM1gEtbYtnP for <add@ietf.org>; Thu, 21 Mar 2024 22:03:06 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <add@ietf.org>; Thu, 21 Mar 2024 22:03:06 +0100 (CET)
Received: from smtpclient.apple (unknown [185.194.184.56]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id B1DA2119A00A for <add@ietf.org>; Thu, 21 Mar 2024 17:03:04 -0400 (EDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-3C63936F-DE09-47A2-A62C-2B20CB6A0456"
Content-Transfer-Encoding: 7bit
From: Paul Wouters <paul@nohats.ca>
Mime-Version: 1.0 (1.0)
Date: Fri, 22 Mar 2024 07:02:49 +1000
Message-Id: <ADAF56A8-9C1C-4041-A78D-27E6ED15A17D@nohats.ca>
To: ADD Mailing list <add@ietf.org>
X-Mailer: iPhone Mail (21D61)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/0EyOKeU7o0e2ypgltcexyPy-p0g>
Subject: [Add] On the topic of routers doing dns with DC
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2024 21:03:15 -0000

Previous discussion on this feature came with claims of CPEs being very secure these days and it’s safe to do ADD with DC.

This just came in on the dns unbound list:

> I’ve seen a lot of home routers, mainly ZTE and D-Link, being attacked and having their LAN DNS changed to random servers with malicious intent. I am redirecting requests to those servers into my Unbound machine and I can see the requests flow through tcpdump, […]

v2.23.0 | Report a Bug | By Email