IETF Logo Mail Archive

Re: [dns-privacy] Trying to understand DNS resolver 'discovery'

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Wed, 27 November 2019 14:43 UTC

Return-Path: <tirumaleswarreddy_konda@mcafee.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 346B81208F3 for <dns-privacy@ietfa.amsl.com>; Wed, 27 Nov 2019 06:43:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MGrbAuvt63Xw for <dns-privacy@ietfa.amsl.com>; Wed, 27 Nov 2019 06:42:57 -0800 (PST)
Received: from us-smtp-delivery-140.mimecast.com (us-smtp-delivery-140.mimecast.com [63.128.21.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A73591208E4 for <dns-privacy@ietf.org>; Wed, 27 Nov 2019 06:42:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=mimecast20190606; t=1574865776; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=z3LCSkOK5bwg7+ANhD2YAS3u1vgmcHnhxdQvYL+XaD4=; b=XjVEPFBCT3OZfZ5vwMYrvZExUMA0a3ue3L7Ac9K79/ADmMIL2UhlZuK2JfIUGri98K3qfe 0hXH7zqOhoTwRGhOANIr9xo4HHxV+y+t5Ghjsr+hlVzeJnLGaUye8/H+WQOUz3aPLlkten mLtvC7XMAcAReNIkSdszH5WsOUKdT5U=
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03lp2053.outbound.protection.outlook.com [104.47.41.53]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-212-gYZ84tNaPEOwbVkdQHJIpg-1; Wed, 27 Nov 2019 09:42:51 -0500
Received: from CY4PR1601MB1254.namprd16.prod.outlook.com (10.172.118.12) by CY4PR1601MB1319.namprd16.prod.outlook.com (10.172.117.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2474.24; Wed, 27 Nov 2019 14:42:50 +0000
Received: from CY4PR1601MB1254.namprd16.prod.outlook.com ([fe80::4aa:ad9b:390a:f7af]) by CY4PR1601MB1254.namprd16.prod.outlook.com ([fe80::4aa:ad9b:390a:f7af%12]) with mapi id 15.20.2474.023; Wed, 27 Nov 2019 14:42:50 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
CC: Phillip Hallam-Baker <phill@hallambaker.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: [dns-privacy] Trying to understand DNS resolver 'discovery'
Thread-Index: AQHVpH/sjJ4BY7ksP0eWka61gH491qedvvOAgAD5mmCAAFxiAIAAAPtQ
Date: Wed, 27 Nov 2019 14:42:50 +0000
Message-ID: <CY4PR1601MB1254E55D8DD8F5D4C9E5D817EA440@CY4PR1601MB1254.namprd16.prod.outlook.com>
References: <CAMm+Lwig+90Riqav6BT6D-0n4pZJFgAr3p996Q+qXJSPt0kqBQ@mail.gmail.com> <20191126180441.GA4452@sources.org> <CY4PR1601MB125470ADE243F60FB710E8C7EA440@CY4PR1601MB1254.namprd16.prod.outlook.com> <20191127142842.GA18601@nic.fr>
In-Reply-To: <20191127142842.GA18601@nic.fr>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.4.0.45
dlp-reaction: no-action
x-originating-ip: [49.37.206.28]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ca07eda3-7183-405a-032a-08d7734813e6
x-ms-traffictypediagnostic: CY4PR1601MB1319:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <CY4PR1601MB1319F537D72E1B83468E1C5CEA440@CY4PR1601MB1319.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:4502;
x-forefront-prvs: 023495660C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(39860400002)(376002)(136003)(396003)(346002)(189003)(199004)(32952001)(13464003)(66574012)(71200400001)(14444005)(256004)(8676002)(81166006)(5024004)(99286004)(66066001)(81156014)(71190400001)(6246003)(54906003)(80792005)(8936002)(6116002)(2906002)(966005)(478600001)(229853002)(66556008)(14454004)(6306002)(9686003)(55016002)(66446008)(4326008)(52536014)(316002)(66946007)(76116006)(5660300002)(7696005)(3846002)(76176011)(53546011)(446003)(561944003)(6506007)(11346002)(305945005)(7736002)(6436002)(186003)(33656002)(25786009)(64756008)(6916009)(86362001)(66476007)(26005)(74316002)(102836004)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:CY4PR1601MB1319; H:CY4PR1601MB1254.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 72QdGf+PTQ/UY/L0/N26dVfkObeHWmucD+e03mi1WrtrE9cKyFuXyMvjkfAilFRMUOOpeu/BA1vZRlBUevxXNC2J/P3gT8tAmOKLDXgjAZ6fZj1TL/AIF2Y85hUlPsxVh6j4pV01enHIT64G6w5GXF7WtgseGT3L5DyfB9evLVygJR8bvl/f1RmpBJq0Ig9h034kXsfKmmHByTmGIENldlgX2IOZkVMIra1otwSyIIz7z0eFOeAoioEHOmq1CXd2ZpkA816V8B6troErvxMpaMUB2q18lcTC3JzGFvk/EBTMgRPXcGZgzzoDKUcyWkJDA538AOpVdeHI6l+eqY0VKJQ0rZqcAhSc01VkQAMANBKPxMpdSHDMbzaRu86/ob9jiOioyT+ngk5hf2A5otcYxYsczwY942XNlSqs+SnC9qyMyzJKDBZF7WMShUdnzwHkf0Ynd8nzRa6u3Bf1KVvvfc6D5OvhjEHwbES/xd1LOdDGqZlvE/vzi/b2HOnlWvSf
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: mcafee.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ca07eda3-7183-405a-032a-08d7734813e6
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Nov 2019 14:42:50.4365 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: cVHyhaJBTBkU0BAiKVnw0/1x5uSUVP/WIAUE/7Jj14kJP64RfANlRPQ3O9qVnca4syqzj99d+b5F7keGErfokXQEcw06hHfxZ57iMie89mQWYMCf6Y7j3sYuiUyhlJK8
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1601MB1319
X-MC-Unique: gYZ84tNaPEOwbVkdQHJIpg-1
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/bNvw-GBSS95czFtRBP_WzdUuqDI>
Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 14:43:00 -0000

> -----Original Message-----
> From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
> Sent: Wednesday, November 27, 2019 7:59 PM
> To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>
> Cc: Stephane Bortzmeyer <bortzmeyer@nic.fr>; Phillip Hallam-Baker
> <phill@hallambaker.com>; dns-privacy@ietf.org
> Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
> 
> CAUTION: External email. Do not click links or open attachments unless you
> recognize the sender and know the content is safe.
> 
> On Wed, Nov 27, 2019 at 09:07:15AM +0000,  Konda, Tirumaleswar Reddy
> <TirumaleswarReddy_Konda@McAfee.com> wrote  a message of 72 lines
> which said:
> 
> > > *All* "automatic discovery of the DoH resolver" schemes are broken
> > > by design and I really wonder why people keep suggesting them.
> >
> > Not all discovery mechanisms have security holes, you may want to look
> > into
> > https://tools.ietf.org/html/draft-reddy-dprive-bootstrap-dns-server-05.
> 
> It seems to me that this draft has exactly the same problem as every other
> "resolver discovery" proposal: it gives complete power to the access network
> to indicate the resolver to use. 

No, the client makes a decision whether to use the local resolver or not, please see https://tools.ietf.org/html/draft-reddy-dprive-dprive-privacy-policy-01#section-2 
I will update the draft in the next revision to make it more clear.

> If you use DoH/DoT, it is because you don't
> trust the access network. Relying on it to indicate a DoH/DoT resolver is
> pointless.

Agreed, the bootstrapping procedure is not implicitly triggered. You may want to look into https://tools.ietf.org/html/draft-reddy-dprive-bootstrap-dns-server-05#section-11.  It is similar to way VPN is enabled implicitly in all networks and the user 
has to explicitly disable VPN connection in specific network (e.g., Home network with security service to filter malware).

Cheers,
-Tiru

> 
> For instance, if your access provider has a lying resolver and you want to
> escape it with DoH/DoT access to an external resolver, I don't see how this
> draft helps you.

v2.23.0 | Report a Bug | By Email