Re: [Add] some background on split DNS with DNSSEC

[tirumal reddy <kondtir@gmail.com>]

On Wed, 10 Nov 2021 at 04:39, Paul Wouters <paul.wouters=
40aiven.io@dmarc.ietf.org> wrote:

> On Tue, 9 Nov 2021, Deen, Glenn wrote:
>
> > That said, what ADD is chartered to do is to look at how to do encrypted
> DNS resolver discovery in the environments that users do live in, and not
> just environments that we think they should be in, so with the background
> on DNSSEC that started this chain, and EKR's moment of actually putting a
> good word in for DNSSEC during the ADD session,  does the group see there
> being a role here for DNSSEC?
>
> I think the problem is still that the different use cases are conflicting.
>
> 1) Enterprise split DNS
>
> Use provisioning tools to get similar security as RFC 8598 with
> authenticated list of domains to take over. This would avoid using public
> DNS to "verify" or "authenticate" which would leak private enterprise
> domains. I think the current draft's text of somehow (still unclear to
> me) have public nameservers claim authority for internal only zones is
> the wrong method. Signal some URI over DHCP options and let clients
> with provisioning retrieve/verify/use it. Unprovisioned users would
> not use the option, lacking a method to validate the list, which also
> prevents abuse of this protocol in non-enterprise setups.
>
> 2) ISP like provisioning domains and hotspot (redirect) domain logins
>
> This is the hardest one, eg .box for the Fritz!Box router in Germany.  In
> this case, it requires accessing .box, but it is completely squatted. You
> could only allow this if you confirm the external domain does not exist
> Also, germany would go offline as soon as .box gets delegated. We don't
> care about leaks here, which is good because one has to query the public
> DNS. But as ekr pointed out, browsers already have a workaround
> behaviour by trying public DNS and if that fails retry on local
> network's DNS. systemd-resolved sends out the query on all interfaces
> (and uses the first returned answer, which is in itself a security
> nightmware, but I digress). The question is, is this something ADD
> should take on or leave out. I think it should leave this out as it
> cannot in a reasonable way be authenticated and/or authorized.
>
> 3) enduser protection mechanisms
>
> I don't think these would be advertised as domains to resolve but rather
> would use mandatory use of DNS servers that would filter these.
>
>
>
>
> I have been at a hotel chain that blocked priceline.com. Coffeeshop
> wifi might prevent certain domains to prevent things like Google Meet
> or other domains that make people use a lot of bandwidth and stay very
> long. Schools might grab facebook to block it. While I think network
> owners should be able to dictare terms on their clients, I don't think
> the current ADD split-dns is the right mechanism for that.
>
> And then we have the issue of this document of split DNS having a run-in
> with censorship, either by nationstate or as a security service. In
> those cases, the goal is to take over all DNS for the protection of the
> user. When that happens, it overrides the split-dns network configuration.
> But of course, enforcing of that is impossible and a race of DoH against
> the administrator ensures.
>
> I did see the Zero Knowledge Proof DNS blocklist presentation today, but
> I also feel that even if the protocol managed to be speed up to be
> usable, the problem is that those who want to deploy blocking as a
> security service would want to know which domains were queried (eg to
> detect the C&C domain to identify the specific malware running). Those
> with the power the censor DNS don't often want to give the user full
> privacy - especially when they do things that are not allowed on the
> network.
>
> I think the one real use case here is to fix is the enterprise list of
> domains.
> This is the use case where every party agrees to play along.
>
> If I need to access internal.aiven.io when I join the wifi and use my own
> TRR nameserver, I need to get these domains into my application. The
> current browser method of trying external before trying internal
> nameserver fixes that but it is not the best solution for all applications
> performing DNS. My laptop's build system would fail with DNS in git or
> other build tools.
>
> The browser solution also does not work when the view leads to different
> valid result. Eg if vault.aiven.io would be landing page with "nothing to
> see here" on the external view, and a real vault on the internal view. The
> easy fix is "don't do that" but there might be more complicated scenarios
> where this cannot be avoided.
>
> Putting a solution in the stub would be good.  I think ADD can specify
> something
> here, but it would really be part of (and authenticated by) the enterprise
> provisioning. Which could be as simple as a URI via DHCP option to a signed
> list by a CA that I installed. I am not sure dancing around in different
> DNS views would be particularly useful. And it would still allow
> outsiders to see those public DNS queries which are supposed to remain
> private. And I still don't understand the updates to the document from
> this Monday, that adds some packet flaw images, but no DNS query
> information. I still don't understand it :(
>

The DNS query to resolve "pvd.uk.example.com" is sent to the
network-designated resolver. RFC8801 in section 4.1 mandates that the PvD
FQDN must be resolved using the DNS servers indicated by the associated
PvD.  The NS query for the domain "example.com" in dnsZone is sent to the
public resolver. If the network proves authority over the domain, "
example.com" is resolved using the network-designated resolver.

-Tiru


> Paul
>
> --
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add
>