IETF Logo Mail Archive

Re: [dns-privacy] Trying to understand DNS resolver 'discovery'

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Wed, 27 November 2019 15:01 UTC

Return-Path: <tirumaleswarreddy_konda@mcafee.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00A451209A1 for <dns-privacy@ietfa.amsl.com>; Wed, 27 Nov 2019 07:01:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hC8QIijJ0S9m for <dns-privacy@ietfa.amsl.com>; Wed, 27 Nov 2019 07:01:14 -0800 (PST)
Received: from us-smtp-delivery-140.mimecast.com (us-smtp-delivery-140.mimecast.com [216.205.24.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6C8B120964 for <dns-privacy@ietf.org>; Wed, 27 Nov 2019 07:01:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=mimecast20190606; t=1574866872; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=i+V+dgvsEn36GlFjktzLqYPzz93uYVzsGFNGmPxvvAw=; b=gudW1xysK/hMtBKi8bpEXipA5Jw8IN7e6DuA/B0qkJYo3lBSlUz4YOv6JpW6i4hOPZ0W9C stAAuF/hkM5PfFdQqZ5Vf8zVduvkc6ERO4L13juewMjvYVrpo3Zds7d+SMZVXclS15GMLW i6OTkgNtNAcipGuphwl7Rk9Ehw0koj4=
Received: from NAM05-DM3-obe.outbound.protection.outlook.com (mail-dm3nam05lp2051.outbound.protection.outlook.com [104.47.49.51]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-87-tRKN9dbdNbWoSYhr2AL_6g-1; Wed, 27 Nov 2019 10:01:10 -0500
Received: from CY4PR1601MB1254.namprd16.prod.outlook.com (10.172.118.12) by CY4PR1601MB1270.namprd16.prod.outlook.com (10.172.116.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2474.22; Wed, 27 Nov 2019 15:01:08 +0000
Received: from CY4PR1601MB1254.namprd16.prod.outlook.com ([fe80::4aa:ad9b:390a:f7af]) by CY4PR1601MB1254.namprd16.prod.outlook.com ([fe80::4aa:ad9b:390a:f7af%12]) with mapi id 15.20.2474.023; Wed, 27 Nov 2019 15:01:08 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Neil Cook <neil.cook@noware.co.uk>
CC: Stephane Bortzmeyer <bortzmeyer@nic.fr>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, Phillip Hallam-Baker <phill@hallambaker.com>
Thread-Topic: [dns-privacy] Trying to understand DNS resolver 'discovery'
Thread-Index: AQHVpH/sjJ4BY7ksP0eWka61gH491qedvvOAgAEMS4CAAERloIAACJCAgAABx8A=
Date: Wed, 27 Nov 2019 15:01:08 +0000
Message-ID: <CY4PR1601MB1254212ECA55CBAE6405065EEA440@CY4PR1601MB1254.namprd16.prod.outlook.com>
References: <CAMm+Lwig+90Riqav6BT6D-0n4pZJFgAr3p996Q+qXJSPt0kqBQ@mail.gmail.com> <20191126180441.GA4452@sources.org> <4E2DE849-CC35-4675-9A41-CD134D65371A@noware.co.uk> <CY4PR1601MB1254D915F946F255B2B53DC8EA440@CY4PR1601MB1254.namprd16.prod.outlook.com> <008AE77C-7340-4ECA-BDDB-CDEFE1087EAF@noware.co.uk>
In-Reply-To: <008AE77C-7340-4ECA-BDDB-CDEFE1087EAF@noware.co.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.4.0.45
dlp-reaction: no-action
x-originating-ip: [49.37.206.28]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 656e685e-50fd-4912-c9b5-08d7734aa26f
x-ms-traffictypediagnostic: CY4PR1601MB1270:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <CY4PR1601MB12700C456627543E07D7FC31EA440@CY4PR1601MB1270.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 023495660C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(376002)(136003)(366004)(39860400002)(346002)(199004)(189003)(32952001)(33656002)(478600001)(80792005)(52536014)(25786009)(606006)(5660300002)(6436002)(66574012)(2906002)(4326008)(71190400001)(6246003)(71200400001)(76116006)(66476007)(74316002)(7736002)(66446008)(66946007)(236005)(66556008)(64756008)(14454004)(6916009)(11346002)(102836004)(790700001)(6116002)(76176011)(9686003)(3846002)(81156014)(53546011)(6506007)(54906003)(966005)(81166006)(54896002)(316002)(26005)(186003)(5024004)(229853002)(14444005)(55016002)(256004)(86362001)(8936002)(66066001)(446003)(6306002)(99286004)(8676002)(7696005)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:CY4PR1601MB1270; H:CY4PR1601MB1254.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: JcWeYaSneVDDsbiuav/RF3eTuA1Bs/RLoLBkkGUcoYbF36H/k0NJ5aArG0Lp1I3cAvynQ4xlLcmPEkfQfhtNn5qz6OuHEzwIWno5FUvjTz7X8ylTYUx8YLIdNUCUXJG8JmLLU5mim3MpOaLFKdlotDe0cHnmOBBY+R9uLq2HaXLIrsOvKmny17jH1qOKe0trzcFihKor4NP+x3n592IfkoffM02e17pW7xIRfnWMfQ17wsssRfCAynqMsYTsLIAGL/kMVN7OKTvLDRPdbiXKdPK7CmfIzqg8T1SbhV+D6rpMGU9+ra53laSAtRv5nzs34FZCtakKZvh+5n6x0A+QIFKIYWGQnk3viw1xKUJxOCmxwoTGmkMdpLeaEwn1/0ZQc/ZBHQqNS9Ks0U2DJiMGmjr7KXFV7wh2Z+cWGNwk+BG7m5PP5rrEAqle3xxl2HoQN2PU63cW4NITP8SzbSYpzQsn7zW1V0t1ANQYwyHvlV0=
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: mcafee.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 656e685e-50fd-4912-c9b5-08d7734aa26f
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Nov 2019 15:01:08.4044 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: CVpUrsdlKEzecYeB4eIohnmYpp5kU3jJ0z5aqh0EpREBdeYszARFW7fcOsqHTRBfY/esLu9ASfBqO5NqbQSwNL+fdJcfXEFQs0c+Op8Y5S6P2o+UgQsIrCSC1iEWUEyl
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1601MB1270
X-MC-Unique: tRKN9dbdNbWoSYhr2AL_6g-1
X-Mimecast-Spam-Score: 0
Content-Type: multipart/alternative; boundary="_000_CY4PR1601MB1254212ECA55CBAE6405065EEA440CY4PR1601MB1254_"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/3twAKh8u9N8UIWn3M19gal2zkg8>
Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 15:01:17 -0000

Please see inline

From: Neil Cook <neil.cook@noware.co.uk>
Sent: Wednesday, November 27, 2019 8:10 PM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>
Cc: Stephane Bortzmeyer <bortzmeyer@nic.fr>; dns-privacy@ietf.org; Phillip Hallam-Baker <phill@hallambaker.com>
Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

________________________________



On 27 Nov 2019, at 14:22, Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@mcafee.com<mailto:TirumaleswarReddy_Konda@mcafee.com>> wrote:


Resolver discovery schemes allow a client to ask the local resolver to provide
information about the resolver, such as DoH info, as well as potentially other
information about the resolver. I don’t see why they’re broken by design;
yes they add no security properties on top of the (insecure) DHCP
mechanism used to contact the resolver in the first place, but how clients use
that information is up to them. They may or may not decide to trust that
resolver,

The problem with DHCP is the client has no way to know whether the DoT/DoH server is indeed hosted by the local network or by an attacker. For example, consider a network using Quad9/OpenDNS to perform malware filtering but attacker spoofs the DHCP response to convey the network is using CloudFlare DNS server. Chrome would establish DoH with CloudFlare, and the attack is successful. It is also easy for the attacker to get a domain name, and get the certificate signed by the CA (domain validate certificate).


I’m not arguing that DHCP is secure, I’m arguing that discovery isn’t worthless.,

[TR] I am only saying DHCP is not right discovery technique mechanism but I am not opposing discovery.

The client is free to use other mechanisms to decide whether to trust the DoH server returned as part of the discovery mechanism. For example if the resolver discovery returns the DoH server for that resolver as “myisp.net<http://myisp.net>”, then the client can verify not only that the certificate matches myisp.net<http://myisp.net>, but also whether it trusts “myisp.net<http://myisp.net>” for DNS resolution.

[TR] You may want to re-look into the attack I explained in the previous e-mail, client will use CloudFlare DoH server trusted by the browser (whereas the network is using Quad9/OpenDNS for malware filtering).

This is essentially the approach that Chrome is already taking with DoH, except that it currently lacks the discovery part.

Another use-case for discovery would be the case where I have manually entered a DNS server (e.g. 1.1.1.1). By default I can use DNS53 or DoT to that server, but not DoH. However with discovery I could ask (using either DNS53 or DoH) the 1.1.1.1 resolver if it supports DoH and if so on what URL.

[TR] The above discovery is more straightforward, client can query for the URI resource record type using https://tools.ietf.org/html/rfc7553

Cheers,
-Tiru

Neil

v2.23.0 | Report a Bug | By Email