Re: [Add] fixing coffee shop brokenness with DoH

[Eric Rescorla <ekr@rtfm.com>]

On Wed, Jul 24, 2019 at 10:56 AM Brian Dickson <
brian.peter.dickson@gmail.com> wrote:

>
>
> On Wed, Jul 24, 2019 at 1:46 PM Eric Rescorla <ekr@rtfm.com> wrote:
>
>>
>>
>> On Wed, Jul 24, 2019 at 10:32 AM Brian Dickson <
>> brian.peter.dickson@gmail.com> wrote:
>>
>>>
>>>
>>> On Wed, Jul 24, 2019 at 1:15 PM Eric Rescorla <ekr@rtfm.com> wrote:
>>>
>>>>
>>>>
>>>> On Wed, Jul 24, 2019 at 8:58 AM Ted Lemon <mellon@fugue.com> wrote:
>>>>
>>>>> There are a variety of attack scenarios to account for. DNSSEC is not
>>>>> useful for countering a fake NXDOMAIN attack when the attacker also
>>>>> controls the path and can prevent connection establishment.
>>>>>
>>>>> However, if the attacker is the resolver, and the resolver isn’t under
>>>>> the control of the path, then detecting a fake NXDOMAIN is useful.
>>>>>
>>>>
>>>> How?
>>>>
>>>
>>> Assumptions:
>>>
>>>    1. One resolver is controlled by the attacker
>>>    2. The path to the real endpoint is free from control by that same
>>>    attacker
>>>    3. Any other resolver, not controlled by that same attacker, is known
>>>
>>> This last possibility seems like a pretty narrow case. In the vast
>> majority of cases, clients have one path to the network.
>>
>> It's a little surprising to be hearing resistance to local resolver
>> blocking being cited as a goal here, given that previously I've heard
>> complaints that DoH (which is effectively a separate path to another
>> resolver) is a mechanism for circumventing exactly this kind of blocking.
>>
>>
> I think you are misinterpreting the meaning of "controlled by". I.e.
> "operated by", "subverted by", "poisoned by", "subverted by" (an attacker).
>
> It has nothing to do with the path, to either the destination endpoint, or
> to either resolver.
>
> For example, suppose the client knew about 9.9.9.9 and 8.8.8.8, and
> preferred 8.8.8.8.
> If 8.8.8.8 was compromised and injecting (responding to queries with)
> false NXDOMAIN answers in a DNSSEC-signed domain, the client would detect
> that, and would then query 9.9.9.9.
> Since (by the assumptions above) 9.9.9.9 is not compromised, it would
> return a non-NXDOMAIN (legitimate, DNSSEC-signed) answer.
>

This also seems like an edge case. The vast majority of clients do not have
two independently controlled resolvers.

-Ekr


> Brian
>
>
>>
>>
>> If the attacker's resolver supplies a fake NXDOMAIN, which the client
>>> detects via DNSSEC, then the client sees the resolver's answer as a
>>> SERVFAIL.
>>> The client then consults a different resolver, and gets a non-NXDOMAIN
>>> answer (validated by DNSSEC), and connects to the correct host.
>>> Since the attacker does not control the data path to the correct host,
>>> the client's connection succeeds.
>>>
>>> QED (useful).
>>>
>>> Brian
>>>
>>>
>>