Re: [Add] some background on split DNS with DNSSEC

[Paul Wouters <paul.wouters@aiven.io>]

On Tue, 9 Nov 2021, Deen, Glenn wrote:

> That said, what ADD is chartered to do is to look at how to do encrypted DNS resolver discovery in the environments that users do live in, and not just environments that we think they should be in, so with the background on DNSSEC that started this chain, and EKR's moment of actually putting a good word in for DNSSEC during the ADD session,  does the group see there being a role here for DNSSEC?

I think the problem is still that the different use cases are conflicting.

1) Enterprise split DNS

Use provisioning tools to get similar security as RFC 8598 with
authenticated list of domains to take over. This would avoid using public
DNS to "verify" or "authenticate" which would leak private enterprise
domains. I think the current draft's text of somehow (still unclear to
me) have public nameservers claim authority for internal only zones is
the wrong method. Signal some URI over DHCP options and let clients
with provisioning retrieve/verify/use it. Unprovisioned users would
not use the option, lacking a method to validate the list, which also
prevents abuse of this protocol in non-enterprise setups.

2) ISP like provisioning domains and hotspot (redirect) domain logins

This is the hardest one, eg .box for the Fritz!Box router in Germany.  In
this case, it requires accessing .box, but it is completely squatted. You
could only allow this if you confirm the external domain does not exist
Also, germany would go offline as soon as .box gets delegated. We don't
care about leaks here, which is good because one has to query the public
DNS. But as ekr pointed out, browsers already have a workaround
behaviour by trying public DNS and if that fails retry on local
network's DNS. systemd-resolved sends out the query on all interfaces
(and uses the first returned answer, which is in itself a security
nightmware, but I digress). The question is, is this something ADD
should take on or leave out. I think it should leave this out as it
cannot in a reasonable way be authenticated and/or authorized.

3) enduser protection mechanisms

I don't think these would be advertised as domains to resolve but rather
would use mandatory use of DNS servers that would filter these.




I have been at a hotel chain that blocked priceline.com. Coffeeshop
wifi might prevent certain domains to prevent things like Google Meet
or other domains that make people use a lot of bandwidth and stay very
long. Schools might grab facebook to block it. While I think network
owners should be able to dictare terms on their clients, I don't think
the current ADD split-dns is the right mechanism for that.

And then we have the issue of this document of split DNS having a run-in
with censorship, either by nationstate or as a security service. In
those cases, the goal is to take over all DNS for the protection of the
user. When that happens, it overrides the split-dns network configuration.
But of course, enforcing of that is impossible and a race of DoH against
the administrator ensures.

I did see the Zero Knowledge Proof DNS blocklist presentation today, but
I also feel that even if the protocol managed to be speed up to be
usable, the problem is that those who want to deploy blocking as a
security service would want to know which domains were queried (eg to
detect the C&C domain to identify the specific malware running). Those
with the power the censor DNS don't often want to give the user full
privacy - especially when they do things that are not allowed on the
network.

I think the one real use case here is to fix is the enterprise list of domains.
This is the use case where every party agrees to play along.

If I need to access internal.aiven.io when I join the wifi and use my own
TRR nameserver, I need to get these domains into my application. The
current browser method of trying external before trying internal
nameserver fixes that but it is not the best solution for all applications
performing DNS. My laptop's build system would fail with DNS in git or
other build tools.

The browser solution also does not work when the view leads to different
valid result. Eg if vault.aiven.io would be landing page with "nothing to
see here" on the external view, and a real vault on the internal view. The
easy fix is "don't do that" but there might be more complicated scenarios
where this cannot be avoided.

Putting a solution in the stub would be good.  I think ADD can specify something
here, but it would really be part of (and authenticated by) the enterprise
provisioning. Which could be as simple as a URI via DHCP option to a signed
list by a CA that I installed. I am not sure dancing around in different
DNS views would be particularly useful. And it would still allow
outsiders to see those public DNS queries which are supposed to remain
private. And I still don't understand the updates to the document from
this Monday, that adds some packet flaw images, but no DNS query
information. I still don't understand it :(

Paul