Re: [dns-privacy] [Add] Draft on the use of multiple recursive resolvers

Brian Dickson <brian.peter.dickson@gmail.com> Sun, 17 November 2019 11:09 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1636E12008B; Sun, 17 Nov 2019 03:09:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gc-RP2D77BmF; Sun, 17 Nov 2019 03:09:48 -0800 (PST)
Received: from mail-ua1-x944.google.com (mail-ua1-x944.google.com [IPv6:2607:f8b0:4864:20::944]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66097120024; Sun, 17 Nov 2019 03:09:48 -0800 (PST)
Received: by mail-ua1-x944.google.com with SMTP id a13so4347145uaq.0; Sun, 17 Nov 2019 03:09:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RybEf7ZlytPpu54Xyjh2IV+3gfnOyRdSiOHap09jExM=; b=QzY3AqS/jxkSv3A2az0o4Oa0aHt9CDxRhf8253sUxFSJfEssS7Rz+IMDkrBZ+ED3aD DIt+Q4yfBq3PlBwxI0f9tjeGoWJl61y0mVAdbIHb1KUbYhO0S2z6B5DrnLHpOec9W5CE XZLV/BxJytv6bjw2Amq+4JrJJzxpdBRGPbVEQhuUa/qyukb0ypuVQXHiSRnPpuT8ntmV qwynrhPaJVOTVfd+FN6BSXbm9C79ddYg5IswVd/DsMWEQgB+7Hs0GkhyiJijB3wbxyXd 81N+Qw+aBtNprR6I7z1BK/XaPHOfSbGoyA5uZX7zvDmZZvFOcQBe/3pOezaswV1wDafa 8wfg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RybEf7ZlytPpu54Xyjh2IV+3gfnOyRdSiOHap09jExM=; b=Lt7zPnGNhhbCC8RtJGMtC5HrMubAuhHEdIKm3uyQpZdA+wEDC8vX9N6UyjUt/FOsyd rr2uv7zHGGvvtQkfCIexXit6UdmeYzMNBfUsSkif+XGLpIQ10Ne5Qt9dgSQAKGkn+4Zl PqY8nLpqkIyaHTrk237RVUk5nJTOEfWTOnWQPcDXTSZb/E9VvJ5yMJnrG5dO9K2sD/hb k6CZdqIyee8S+CNCmC11iyzRdbB0FoXF6nJSSJfyXl95LsaTu2zMZJ51+TJhDMbGbujc F3E2LJVMWjZ27eDROpfunIVSk42C7F4mPz9qUh1S1ro8nEGjepmv0DV3ExknvJbxScC9 +yoQ==
X-Gm-Message-State: APjAAAWwzQcsMLZdP0VhGit/Jw+Rc8fCnNurIYd0JH3l5OUwGeOKP3Pm 8ej11QKSpn3KbMVg9PgIdnp8iDHOY3ypzDQge1c=
X-Google-Smtp-Source: APXvYqx2ja6kSLPdfbGsjSDHtDBRkBxwIY5/AkJJPQmXNXBYprDznMeEk7SntwkceiSO1mAGU9wqfuaB+RPoqXfuo60=
X-Received: by 2002:ab0:786:: with SMTP id c6mr14023856uaf.62.1573988987245; Sun, 17 Nov 2019 03:09:47 -0800 (PST)
MIME-Version: 1.0
References: <680390BE-E819-4951-98EE-C77E9C60E495@piuha.net>
In-Reply-To: <680390BE-E819-4951-98EE-C77E9C60E495@piuha.net>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Sun, 17 Nov 2019 19:09:31 +0800
Message-ID: <CAH1iCiqBCEZ6tvV0Fzt+C2xNHehPm9aymQbFryiJir7KpM5VaA@mail.gmail.com>
To: Jari Arkko <jari.arkko@piuha.net>
Cc: ADD Mailing list <add@ietf.org>, dns-privacy@ietf.org, Ted Hardie <ted.ietf@gmail.com>, Martin Thomson <mt@lowentropy.net>
Content-Type: multipart/alternative; boundary="0000000000007718e1059788de22"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/KgD_pCcPdlRrdFNqJt_wc-Gi1K4>
Subject: Re: [dns-privacy] [Add] Draft on the use of multiple recursive resolvers
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Nov 2019 11:09:50 -0000

I scanned it briefly, and have a question about whether it makes sense to
consider a couple of syntactic/semantic additions.

I believe there would be more value to support explicit ordering as well as
randomization within a given set at the same level of preference.
I also believe adding rules for fallback to non-private servers would be
advisable, even if some configurations choose to exclude the fallback
server set.

(Whether this uses names with hints for corresponding IP addresses of
servers, or not, is another question; that might better be addressed
separately?)

Using bind-style syntax, I would imagine something like:

resolvers {
 policy round-robin;
 fallback timeout 2s;
 set 1 {
   pref 30;
   proto dot;
   servers { 9.9.9.9; 8.8.8.8; 1.1.1.1;}
    }
 set 2 {
   pref 20;
   proto doh;
   servers {9.9.9.9; 8.8.8.8;}
   }
 set 3 {
  pref 10;
  proto dns;
  servers {1.1.1.1;}
  }
}

The concept would be to list the preferred sets of servers/protocols and
their respective preference levels, along with resolver selection policy
(possibilities could be best, round-robin, random-order, etc).
Fallback to lower-preference sets would be controlled by fallback policy.

The idea is to avoid privacy-impacting server/protocol selection generally
(resistant to downgrade attacks), if the client so desires.

Everything else in the draft would generally be applicable to the selection
policy within server sets.

This is a richer semantic than the traditional /etc/resolv.conf, but the
latter doesn't really support anything other than traditional port 53, so
being restricted by the old semantics seems unwise.

Brian

On Sat, Nov 16, 2019 at 3:38 PM Jari Arkko <jari.arkko@piuha.net> wrote:

> I wanted to point people to a draft that Martin, Ted, and me recently
> submitted
> on the use of multiple resolvers. This is early work; comments and
> additional
> analysis appreciated.
>
>
> https://tools.ietf.org/html/draft-arkko-abcd-distributed-resolver-selection-00
>
>    This memo discusses the use of a set of different DNS resolvers to
>    reduce privacy problems related to resolvers learning the Internet
>    usage patterns of their clients.
>
> Jari
>
> --
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add
>