IETF Logo Mail Archive

Re: [dns-privacy] Trying to understand DNS resolver 'discovery'

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Wed, 27 November 2019 08:57 UTC

Return-Path: <tirumaleswarreddy_konda@mcafee.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EFFB120812 for <dns-privacy@ietfa.amsl.com>; Wed, 27 Nov 2019 00:57:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QaG4GPAd3Ydg for <dns-privacy@ietfa.amsl.com>; Wed, 27 Nov 2019 00:57:48 -0800 (PST)
Received: from us-smtp-delivery-140.mimecast.com (us-smtp-delivery-140.mimecast.com [63.128.21.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8E861200B6 for <dns-privacy@ietf.org>; Wed, 27 Nov 2019 00:57:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=mimecast20190606; t=1574845067; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=h5NwHI7AqeNteE9MQPlBhRwoEYz13D6DKuepaIysWRQ=; b=h8hscNtRgWCQDwAz/KKGrPfqTBQaNPQ2Mw+e5YhBHxTCcTucwEU1rLMBWEM9IUYA7Gftr/ m8/VGaFWRV0XY4vAvqohiepz/Oa6Isbj+qTBRz72LSecrDLWh42Mbj3eObGKWdn9qKp1zN If6YsueMt4CLkSOeQ0t2wycxD1WS3XE=
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03lp2054.outbound.protection.outlook.com [104.47.40.54]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-328-WDTiG4pxMFeOGK-OI4q9ZQ-1; Wed, 27 Nov 2019 03:57:44 -0500
Received: from CY4PR1601MB1254.namprd16.prod.outlook.com (10.172.118.12) by CY4PR1601MB1207.namprd16.prod.outlook.com (10.172.120.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2474.22; Wed, 27 Nov 2019 08:57:42 +0000
Received: from CY4PR1601MB1254.namprd16.prod.outlook.com ([fe80::4aa:ad9b:390a:f7af]) by CY4PR1601MB1254.namprd16.prod.outlook.com ([fe80::4aa:ad9b:390a:f7af%12]) with mapi id 15.20.2474.023; Wed, 27 Nov 2019 08:57:42 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>, Phillip Hallam-Baker <phill@hallambaker.com>
CC: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: [dns-privacy] Trying to understand DNS resolver 'discovery'
Thread-Index: AQHVpH/sjJ4BY7ksP0eWka61gH491qeduzEAgAD6nRA=
Date: Wed, 27 Nov 2019 08:57:42 +0000
Message-ID: <CY4PR1601MB1254E7BFEBC19959BF70A038EA440@CY4PR1601MB1254.namprd16.prod.outlook.com>
References: <CAMm+Lwig+90Riqav6BT6D-0n4pZJFgAr3p996Q+qXJSPt0kqBQ@mail.gmail.com> <CAH1iCirHc4QFGYo_R-4TzWL2Q7G9XFj-6YKsvKsQS4dkx0-C2w@mail.gmail.com>
In-Reply-To: <CAH1iCirHc4QFGYo_R-4TzWL2Q7G9XFj-6YKsvKsQS4dkx0-C2w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.4.0.45
dlp-reaction: no-action
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d8dba563-88d9-423c-d3d0-08d77317dcd2
x-ms-traffictypediagnostic: CY4PR1601MB1207:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <CY4PR1601MB1207F04EF41C28F18471A076EA440@CY4PR1601MB1207.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:2276;
x-forefront-prvs: 023495660C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(366004)(376002)(396003)(136003)(346002)(32952001)(189003)(199004)(7736002)(53546011)(6506007)(102836004)(8676002)(229853002)(26005)(5024004)(14444005)(66946007)(186003)(14454004)(4326008)(6116002)(55016002)(99286004)(66066001)(25786009)(81166006)(74316002)(6306002)(54896002)(7696005)(6436002)(316002)(446003)(110136005)(9686003)(236005)(76176011)(11346002)(81156014)(606006)(52536014)(33656002)(86362001)(966005)(71200400001)(9326002)(256004)(66446008)(64756008)(71190400001)(66556008)(66476007)(80792005)(478600001)(3846002)(790700001)(5660300002)(6246003)(76116006)(8936002)(2906002)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:CY4PR1601MB1207; H:CY4PR1601MB1254.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: FHDQ4f4ggq5PRDmbLkojEVJHeSM34TSK4PGacBMb3FAFeJISWk7hmnLpJvUuj+x9epkrFxpctqxxsXi9Y6B/K49m6eOT7bBq34SkAvxHXvni+JOO0nXF+j1Je6TN+JFTJyHtUhAafq+DcV/D5sqVO8dErwaA0HzeivI2WvOZHN84sqiAFrOYHN0ljQvuuhZ2AROJhnI9LDYwVoUs5YdxX7M0t8xN0b4A9sSILOFI11Qy5tGRty0ByyORWZeKADuNNOl3QT53uZ7BHiG0X7FEYyH9QV9iGoV0rx19OQAPWYqpRcdP00MaK61kr5epK3uuQca5JiGdhcvolKWA/19cwkGa8lIdQMSv/Dm0AGNnEE4tzSGn6lhXIDW2X8qK5ZX0DQLWBNiifqP2kc1N+ZqgfVqRlqKu2qaL0ontzTEj/U5ZI1gV3XchwEbBebco9jeqN8rFBWFmkaJa3ubn1X62Epw0TV3iNKsQDuH0uwNLk0lY2qoUcCO7gU5CDkA/dJnM
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: mcafee.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d8dba563-88d9-423c-d3d0-08d77317dcd2
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Nov 2019 08:57:42.1591 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ZCxOWgMdFAziIC2u58xzZ2I2FpQSPOgta0grssxo8+ZFXmZUAxTrj5mDIEz+2tKnGCtyQ2FifQHNdyF0FNm3HqiZRi9D91oO7FP4CSZNxHZ8G4MZKNnUoKB29457yZbs
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1601MB1207
X-MC-Unique: WDTiG4pxMFeOGK-OI4q9ZQ-1
X-Mimecast-Spam-Score: 0
Content-Type: multipart/alternative; boundary="_000_CY4PR1601MB1254E7BFEBC19959BF70A038EA440CY4PR1601MB1254_"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/V-HQw915D2MC_gHVmzgK5EhUh74>
Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 08:57:52 -0000

Hi Brian,

Yes, the client needs to discover the privacy policy information of both the forwarder and recursive resolvers, and if the DNS messages are encrypted between the forwarder and recursive resolver. Further, the forwarding DNS server can be configured with both primary and secondary resolvers as a backup mechanism to handle primary server failure.

You may want to look into privacy information claim discussed in https://tools.ietf.org/html/draft-reddy-dprive-dprive-privacy-policy-01#section-6.2.2. It includes the upstream servers privacy claims and if DoT or DoH is used to encrypt the DNS messages exchanged between the local DNS server and recursive resolver.

Cheers,
-Tiru
From: dns-privacy <dns-privacy-bounces@ietf.org> On Behalf Of Brian Dickson
Sent: Tuesday, November 26, 2019 11:21 PM
To: Phillip Hallam-Baker <phill@hallambaker.com>
Cc: dns-privacy@ietf.org
Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'




CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

________________________________
On Tue, Nov 26, 2019 at 9:35 AM Phillip Hallam-Baker <phill@hallambaker.com<mailto:phill@hallambaker.com>> wrote:
This notion of DNS resolver discovery seems very strange to me.

The larger issue (and the one I am interested in finding solutions for) is that what is configured as a 'resolver', might actually be a 'forwarder'.

I.e. the path is generalized as client -> forwarder* -> resolver (zero or more forwarders).

Any DNS client, and any DNS server, when communicating, are unable to distinguish whether the other is (respectively) a resolver or forwarder, or a client or forwarder.

For the DPRIVE use case, it is hopefully clear that the path from the client to the (ultimate) resolver, needs to be encrypted in order to achieve privacy.

However, if the only place the client is able to establish an encrypted path to is a forwarder, this leave open the possibility that the forwarder->(forwarder->[...])->resolver might involve one or more unencrypted connections.

Depending on the network(s) and presence of NAT(s), it may or may not be possible for the client to communicate directly with the (ultimate, actual) resolver.

It is also a potential issue in addressing this issue with any mechanism(s), that intermediate forwarders and the resolver itself, may not have FQDNs of any sort, may not have NSIDs configured, and may not have public (globally unique) IP addresses.

So, the 'discovery' can involve any or all of, some naming method (for things without FQDNs), path discovery, address discovery, and address scope conflict detection, with the preferred result of client->resolver direct connection with encrypted transport.

Brian

v2.23.0 | Report a Bug | By Email