IETF Logo Mail Archive

Re: [Add] fixing coffee shop brokenness with DoH

Brian Dickson <brian.peter.dickson@gmail.com> Wed, 24 July 2019 17:56 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C25512015B for <add@ietfa.amsl.com>; Wed, 24 Jul 2019 10:56:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UNN0KycLIkap for <add@ietfa.amsl.com>; Wed, 24 Jul 2019 10:56:39 -0700 (PDT)
Received: from mail-vk1-xa36.google.com (mail-vk1-xa36.google.com [IPv6:2607:f8b0:4864:20::a36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97713120059 for <add@ietf.org>; Wed, 24 Jul 2019 10:56:39 -0700 (PDT)
Received: by mail-vk1-xa36.google.com with SMTP id o19so9568466vkb.6 for <add@ietf.org>; Wed, 24 Jul 2019 10:56:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gOjJDEzZfhbZWwnhRF5hPmUZ9UYKWXM1C5lLfJ0D95g=; b=MUVbtPrXBoaCmT/gEqC1HK+TX/xkNYeJlxVXy8pVha6PfGRny3OOluOXkvG7RJHg+T qEa4jct7JNtT111grg4dLsraGJe+7giUIZ8wbJGtGoACnWprZLba3fWj8pWmMgf15QOT eMhQ1rIyqMv0fb/nLAmkWgTUr36/lB3VTvOoLnXjgMsEqQ3tHS0ABG7WMcqZEphue+Ya R4dvbPph+LH2LvH54GvLBjSseqO+4/6vXKfvooNndx0Tb2SBGS2ZphRiGKkqHumsUJbH J6IR8Lzemg423iNvtEOs1eGWRitkoNDUwpS8zOrpCazWJc7AmRWQ/w2kPcA5ISwYnNRV OXOg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gOjJDEzZfhbZWwnhRF5hPmUZ9UYKWXM1C5lLfJ0D95g=; b=cepT+OXc9X4f1HpMJi/duQ6qniFm5IQekYI6QBN89FN6NMJ+H+t0nDJyUurmSGmJEa w5BeDPbMqIMGKm2bLbMy8UeKKCjho4zlXTsX/WfVFSuk2vrHvOusw3GTIDvhx3BYsWfb 8VmNZNcx88477p3EwBY7oFvzymInfil/+zoOtSpAqB1r1uzRRYGHaFZ68LfXxQ2UnJfb Sb6fo5yTGgw4CWbhBLFozKmf5hGbRGwu1T4y2tN6FGINtOzCMi4g5Vj8BLuJ1RDuCCG7 vzWrJ8D1+8F+WaamgoxqxIcSENbe46v7URJbj5DN/Qus6vb2j3urJ7qs/3dXIQSNtcAe Y/hw==
X-Gm-Message-State: APjAAAVcN3QUN56RlQwHEMR8ke0H5wjamt2eOoRst2WjKxFTQfFY0GaN XkSY03skFe1FcMcOdrGJCyVJFgwkO8xcZDEc28g=
X-Google-Smtp-Source: APXvYqx3V9ULoAd6Dr9HPRuaYXq4iQPv95OMcZsLnhbjS9Jus7pO6GyTS+Qo2fjmfqtYNYNTuxTAcFqApm3xJ1e0RPM=
X-Received: by 2002:a1f:9f06:: with SMTP id i6mr32539589vke.52.1563990998623; Wed, 24 Jul 2019 10:56:38 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6Sx9TEt6CMzRRrdb-HwT_k987oW=4yF1FCbDF17zkaE2Vg@mail.gmail.com> <2D09D61DDFA73D4C884805CC7865E6114E23910C@GAALPA1MSGUSRBF.ITServices.sbc.com> <14DF8769-A817-4C06-9140-80198518244F@akamai.com> <CAChr6SzH1EycAr5n+dK5BQcG=0Zsw66qE=8Rptvq7SEoEvQQ=Q@mail.gmail.com> <E5A0DAE2-A718-41EA-B490-58ABD0F31CF2@rfc1035.com> <CABcZeBMqvZivS_Hk_2mSOAOnM+mHy1mtcwnHVFc14v_jdkgU=Q@mail.gmail.com> <4DE9B8B1-36D5-4EB5-BE84-D61C182F7372@fugue.com> <CABcZeBN+4RGWN0+xhtb-bMtSJ1B0FAU4JjRJTOSd1x_9JJZBWg@mail.gmail.com> <D361E72B-3783-4E57-8F08-8B418639BB29@fugue.com> <CABcZeBP2MY3pjeZv4Q+1Kj3_GKOgVq8+OYe7im2gYvBzy=Mz7g@mail.gmail.com> <F8A56D5D-B05E-4E80-880C-60D6B550F107@fugue.com> <CABcZeBOO5yvcm=DvDjr-7v4AvVG=13Zy--j362eE0Qqp7hcRaw@mail.gmail.com> <4FC4184E-E41D-420E-A594-60ECF3CD73F1@fugue.com> <CABcZeBOjWQr1HWbGaCkpdR1S7FQUmum=by_SOYWB9OENy8Y-hA@mail.gmail.com> <7BE32238-2442-4954-B95E-1C089C8C86E7@fugue.com> <CABcZeBM8bY0bjZjgpozMULL++4v98SO-tyFnqYvG0714GqWgbw@mail.gmail.com> <CAH1iCioacfKVV14QcQ9zsNed2cDXVhJDY2wknaOzRsarK0GJcA@mail.gmail.com> <CABcZeBOMv=HdV5e9-eBoWLQhh=p6uy4OKhAqo0Q5Lgg7c91kOA@mail.gmail.com>
In-Reply-To: <CABcZeBOMv=HdV5e9-eBoWLQhh=p6uy4OKhAqo0Q5Lgg7c91kOA@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Wed, 24 Jul 2019 13:56:27 -0400
Message-ID: <CAH1iCioQJrzvcwTD-7uTsBu2=CFma7pYQpJSGDV1bfmvk-=5rQ@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Ted Lemon <mellon@fugue.com>, Jim Reid <jim@rfc1035.com>, "add@ietf.org" <add@ietf.org>, Rob Sayre <sayrer@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000e7ab4a058e71072c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/N2YSKNb57zDmHXm556l-BAUNCtY>
Subject: Re: [Add] fixing coffee shop brokenness with DoH
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2019 17:56:43 -0000

On Wed, Jul 24, 2019 at 1:46 PM Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Wed, Jul 24, 2019 at 10:32 AM Brian Dickson <
> brian.peter.dickson@gmail.com> wrote:
>
>>
>>
>> On Wed, Jul 24, 2019 at 1:15 PM Eric Rescorla <ekr@rtfm.com> wrote:
>>
>>>
>>>
>>> On Wed, Jul 24, 2019 at 8:58 AM Ted Lemon <mellon@fugue.com> wrote:
>>>
>>>> There are a variety of attack scenarios to account for. DNSSEC is not
>>>> useful for countering a fake NXDOMAIN attack when the attacker also
>>>> controls the path and can prevent connection establishment.
>>>>
>>>> However, if the attacker is the resolver, and the resolver isn’t under
>>>> the control of the path, then detecting a fake NXDOMAIN is useful.
>>>>
>>>
>>> How?
>>>
>>
>> Assumptions:
>>
>>    1. One resolver is controlled by the attacker
>>    2. The path to the real endpoint is free from control by that same
>>    attacker
>>    3. Any other resolver, not controlled by that same attacker, is known
>>
>> This last possibility seems like a pretty narrow case. In the vast
> majority of cases, clients have one path to the network.
>
> It's a little surprising to be hearing resistance to local resolver
> blocking being cited as a goal here, given that previously I've heard
> complaints that DoH (which is effectively a separate path to another
> resolver) is a mechanism for circumventing exactly this kind of blocking.
>
>
I think you are misinterpreting the meaning of "controlled by". I.e.
"operated by", "subverted by", "poisoned by", "subverted by" (an attacker).

It has nothing to do with the path, to either the destination endpoint, or
to either resolver.

For example, suppose the client knew about 9.9.9.9 and 8.8.8.8, and
preferred 8.8.8.8.
If 8.8.8.8 was compromised and injecting (responding to queries with) false
NXDOMAIN answers in a DNSSEC-signed domain, the client would detect that,
and would then query 9.9.9.9.
Since (by the assumptions above) 9.9.9.9 is not compromised, it would
return a non-NXDOMAIN (legitimate, DNSSEC-signed) answer.

Brian


>
>
> If the attacker's resolver supplies a fake NXDOMAIN, which the client
>> detects via DNSSEC, then the client sees the resolver's answer as a
>> SERVFAIL.
>> The client then consults a different resolver, and gets a non-NXDOMAIN
>> answer (validated by DNSSEC), and connects to the correct host.
>> Since the attacker does not control the data path to the correct host,
>> the client's connection succeeds.
>>
>> QED (useful).
>>
>> Brian
>>
>>
>

v2.23.0 | Report a Bug | By Email