IETF Logo Mail Archive

Re: [dns-privacy] Trying to understand DNS resolver 'discovery'

Brian Dickson <brian.peter.dickson@gmail.com> Tue, 26 November 2019 17:51 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF14C120999 for <dns-privacy@ietfa.amsl.com>; Tue, 26 Nov 2019 09:51:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hMz_HznB2sKx for <dns-privacy@ietfa.amsl.com>; Tue, 26 Nov 2019 09:51:27 -0800 (PST)
Received: from mail-vk1-xa2a.google.com (mail-vk1-xa2a.google.com [IPv6:2607:f8b0:4864:20::a2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05284120120 for <dns-privacy@ietf.org>; Tue, 26 Nov 2019 09:51:26 -0800 (PST)
Received: by mail-vk1-xa2a.google.com with SMTP id r4so4647882vkf.9 for <dns-privacy@ietf.org>; Tue, 26 Nov 2019 09:51:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=su1JiaIieSLF0wo+oez0EtlWV4salBfJOi2iujvluco=; b=nVeb5DdeRk8pqsBpcE+dgMmVU7ljAsEPfA/4tAF6n02B6x1ALzd16j7gGubNSWIq3n SyGHWVh2mCM5j2i/OLKZ/wC70XZQO87vjYWz4o6AmA98T8iHxEOKh+cxyfB+5kew9Ta6 Kqi3okLTv8+U+jvpIdgCnSXJXaExf2sJtO7AqvKxErK1UKVb6fKEof2at+k7XoERkkx5 4tS24WNkWuXV9AQdoXlQ2Ooc42AE4JO4Q1+qIIjoOmURXqQQm1pYD/BhdLGDPf6KaW47 hh1lnbRyU/O5IAsNzVcBRzI0+VmK3DwG1aXC6gze16a96//GLioZGtoqRWYBDcbclhok ER9w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=su1JiaIieSLF0wo+oez0EtlWV4salBfJOi2iujvluco=; b=NTtMgVK/GS0H/n9A361IwK9WaE/zWXV5TQeKpPt7W8FsrpECgYl3mmBGNWnGICsk2F asuyDcyEoX34rV5iN5krnFnboFNOJdpk9zSUJVgpCf8e9bSF0iorRc2qb1CV4lrhr1T4 E6A7GUaBcIB4odR5pwTyholHgVqxE/gImx9FRrcvur3+/mJBr0geqAHEDTnz5GY90b31 TotABYZ8j2GLWJEQ8HrvpBzkNRCYyKzGjoXgNjJisq/iww9xB9KEMMuogHHcWO+S10MJ qviVQXbT3wmY+P0sZXhlouFOf8fhjhtadCtu/VyY1hgmIr22tsMkymywGLFmNXm1TaZJ uyMQ==
X-Gm-Message-State: APjAAAURlTBC8gic/l1ozFhd0QlvTuODCttrYI4NZd4O9Q+vwnKw8Oe2 9o6cOKDJs0eRw4cCqM0iHnBp9nK/I+quYH3bBNM4kQ==
X-Google-Smtp-Source: APXvYqx0rdeR+C5Fmg56lYjzHUs958NkDatyBFr+KLVWv0agKPjCoA5U7hNa5T7POqmGDlwkId1eaT2WqxqCaLJezts=
X-Received: by 2002:ac5:c399:: with SMTP id s25mr22194768vkk.65.1574790685747; Tue, 26 Nov 2019 09:51:25 -0800 (PST)
MIME-Version: 1.0
References: <CAMm+Lwig+90Riqav6BT6D-0n4pZJFgAr3p996Q+qXJSPt0kqBQ@mail.gmail.com>
In-Reply-To: <CAMm+Lwig+90Riqav6BT6D-0n4pZJFgAr3p996Q+qXJSPt0kqBQ@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Tue, 26 Nov 2019 09:51:14 -0800
Message-ID: <CAH1iCirHc4QFGYo_R-4TzWL2Q7G9XFj-6YKsvKsQS4dkx0-C2w@mail.gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Cc: dns-privacy@ietf.org
Content-Type: multipart/alternative; boundary="0000000000006b703205984387b4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/Jmivfz0mnem-T00o3-lvBkBthUw>
Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Nov 2019 17:51:29 -0000

On Tue, Nov 26, 2019 at 9:35 AM Phillip Hallam-Baker <phill@hallambaker.com>
wrote:

> This notion of DNS resolver discovery seems very strange to me.
>

The larger issue (and the one I am interested in finding solutions for) is
that what is configured as a 'resolver', might actually be a 'forwarder'.

I.e. the path is generalized as client -> forwarder* -> resolver (zero or
more forwarders).

Any DNS client, and any DNS server, when communicating, are unable to
distinguish whether the other is (respectively) a resolver or forwarder, or
a client or forwarder.

For the DPRIVE use case, it is hopefully clear that the path from the
client to the (ultimate) resolver, needs to be encrypted in order to
achieve privacy.

However, if the only place the client is able to establish an encrypted
path to is a forwarder, this leave open the possibility that the
forwarder->(forwarder->[...])->resolver might involve one or more
unencrypted connections.

Depending on the network(s) and presence of NAT(s), it may or may not be
possible for the client to communicate directly with the (ultimate, actual)
resolver.

It is also a potential issue in addressing this issue with any
mechanism(s), that intermediate forwarders and the resolver itself, may not
have FQDNs of any sort, may not have NSIDs configured, and may not have
public (globally unique) IP addresses.

So, the 'discovery' can involve any or all of, some naming method (for
things without FQDNs), path discovery, address discovery, and address scope
conflict detection, with the preferred result of client->resolver direct
connection with encrypted transport.

Brian

v2.23.0 | Report a Bug | By Email