[dns-privacy] In response to dprive DoT and why current DNS protection efforts are failing.
Brewst <loganbrewster91@gmail.com> Thu, 21 May 2020 20:51 UTC
Return-Path: <loganbrewster91@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF05F3A0A6A for <dns-privacy@ietfa.amsl.com>; Thu, 21 May 2020 13:51:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.837
X-Spam-Level:
X-Spam-Status: No, score=-1.837 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tCzGA-uAlxBD for <dns-privacy@ietfa.amsl.com>; Thu, 21 May 2020 13:51:03 -0700 (PDT)
Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC9D03A0A5E for <dns-privacy@ietf.org>; Thu, 21 May 2020 13:51:02 -0700 (PDT)
Received: by mail-io1-xd2f.google.com with SMTP id k18so9162365ion.0 for <dns-privacy@ietf.org>; Thu, 21 May 2020 13:51:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=Zs1wRQpZunwyMWsk1GD0IhK1t6omiXARhQeJT1cOAok=; b=udn3VYmsaMjx17TYTMy8e9r3Xrymiker04dA4nef2TrgxlvasaRh3YbnGyJmKq/pTq JhnlhIV8UE8ekWsgqgIdwqKa0YBfP70twrTwAB7f2OTU77aY/p7H3xJl4QUQZ+tf9xNl YjI+HjYr3+LM8dH0cuP3rWS0NmLRbWpYWXIKKvWENvD6ZAyCYoq4CYIUuubdm/Aw82U+ AntHJWVFOb1YF9xgcBXWhWqd62ADHHSp5EU7+Ci5itpVcxuHQKDifxXgnoeEgep51X8r WbGEh/qx/t7ha9MpTIo5Qqgr62MXUVGZo0iirgwI0gexyxZOYfBbwyCm+ldWeZQxele5 tJ9w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Zs1wRQpZunwyMWsk1GD0IhK1t6omiXARhQeJT1cOAok=; b=RXhYbMA1OYAYXbca5Q0n05cW8U1L2nHIypEIhPzZO2Kqga6l2LHvdstUhVBObhMwVk f2dupJptwjofkq+HeKvO2T7ScQZnJ8Z++0QoAeu+y59Ctw7kZfEScZ1Bm8NA5dk1mYIr PkaQEn2HvsGvAc8XkcBA8CF1FewKCjJRf6IyvDuBZkpvhaRH/5YYD80vCAt2KjY+nxC0 WP9CdoWM7MkZDoOg/x/0W4XjrdsW8i0PCkIykC5aD55dFGJp4jlXsfGcCo2fxtcmuFke Bu0N+TgJadzDgoqefLm9UksZqdCaFEiKZp0nlBEpN6n2lmzPWCF/yL04eJWfuETS2YMi X8qA==
X-Gm-Message-State: AOAM533sS+OmejUq/jTurU3HXxfb2EAwZ2Dqo86Pp33Xz41hNySGaZ3p BGVgkO16g0X2Udj+714B+MpY0/ulyuGX96LGilCwzo0iNDA=
X-Google-Smtp-Source: ABdhPJzTfu//vu7HRQiXLbwaFJMuIGqZK6Ulw6Ero1yfxapPbK+S+QB4B6dRq0rULH0s7CUDz1gPfY0tT7oGM992uV4=
X-Received: by 2002:a5e:8413:: with SMTP id h19mr432895ioj.140.1590094260323; Thu, 21 May 2020 13:51:00 -0700 (PDT)
MIME-Version: 1.0
From: Brewst <loganbrewster91@gmail.com>
Date: Thu, 21 May 2020 13:50:49 -0700
Message-ID: <CAKZL8or-_JNY0jShkvEjecWMnPJ1VjPsO_ffC=A7b2O9orJCGg@mail.gmail.com>
To: dns-privacy@ietf.org
Content-Type: multipart/alternative; boundary="0000000000008bcb2e05a62eabe7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/0TIapk5PzghghwA5Js1FLcF_lLw>
Subject: [dns-privacy] In response to dprive DoT and why current DNS protection efforts are failing.
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2020 20:51:05 -0000
I support the idea of the path between resolver and authoritative server being encrypted by using DoT, as well. I would like to bring up a topic from earlier responses. Particularly how a system should handle DNS. I am in support of a system handling DNS settings itself and any application that wishes to change this should require elevated permissions. For context, this is referring to how we are using DoH at the moment. I believe the current atmosphere around browsers using stub resolvers can unfortunately fall under RFC1087. The components of RFC1087 will follow and I will be adding examples of how browsers(and other software) can be interpreted as violating or not having these guidelines in mind while allowing stub resolvers. 1.seeks to gain unauthorized access to the resources of the Internet This can be interpreted as gaining unauthorized access to user system information. We have to implicitly trust organizations and hope they are not using their current infrastructure to take and catalog DNS queries and system information. I know this can seem like a stretch as the user is choosing to do this. In an example like the firefox browser, this is enabled automatically. This should always involve system owner choice and explicit permission to be performed. source: https://blog.mozilla.org/blog/2020/02/25/firefox-continues-push-to-bring-dns-over-https-by-default-for-us-users/ 2.disrupts the intended use of the Internet This can be seen as a way to circumvent the intended use of DNS. Software developers should not be able to change the nature of how DNS works just because of their personal view on the insecurity of current DNS practices. This can be seen as an opinion. A better answer could be: Ignoring current DNS settings within a system or organization potentially circumvents the intended destination for DNS queries and use of resolution itself. 3.wastes resources (people, capacity, computer) through such actions This can be easily understandable from an enterprise, small business, or home office standpoint. Resources at organizations are wasted when configuring domain policies to enforce anti stub resolver flags within software. Organizational DNS resources are wasted when domains attributed to third party resolvers need to be blocked to prevent un-authorized traffic sent to said resolvers. Organizational security research time and efforts are wasted in the investigation of security events related to the unauthorized destination change of DNS traffic. 4.destroys the integrity of computer-based information This can be interpreted as information from systems being shared with a third party without any controls implemented to safeguard the integrity of proprietary information. Because the information of systems is shared with a third party, we have to assume the integrity of said information is no longer guaranteed as they do not allow access for organizations or individuals to officially query how their data is being used. 5.compromises the privacy of users. This one is self explanatory. Sending data to a third party who is not held responsible for the integrity of data sent to them, compromises privacy. The way stub resolvers are handled today leads to additional privacy concerns as well. As many of you are aware, Cobalt strike introduced a module which takes advantage of the loose regulations DoH is built around and leverages it to gain access to system information with the ability to further compromise said systems. This is all without elevated permissions. Brass tax section: DNS resolution and destination of DNS traffic should not be allowed to change without explicit system owner permission. The proposed solution of having DNS encrypted via DoT from the resolver to authoritative is fantastic idea. It ensures the data's integrity while also giving system owners the ability to inspect traffic sent to their local resolver as well as the traffic sent back to systems from the resolver. This also limits organizational overhead as user systems would not need to be configured any different than they are now. It would also remain seamless for the average user, as well. source: https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/ It is a good read and hopefully can provide you with knowledge needed to help determine the future of how DNS is protected. I am new to this mailing list and if this is the wrong forum to bring up my concerns with where and how DNS resolution settings should be controlled, let me know. Thanks for your time, Logan