IETF Logo Mail Archive

Re: [dns-privacy] New draft on encrypting the stub-to-resolver link: draft-hoffman-dns-tls-stub-00.txt

Jacob Appelbaum <jacob@appelbaum.net> Tue, 19 August 2014 20:15 UTC

Return-Path: <jacob@appelbaum.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB63E1A0B73 for <dns-privacy@ietfa.amsl.com>; Tue, 19 Aug 2014 13:15:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id efmMnmhdXLiH for <dns-privacy@ietfa.amsl.com>; Tue, 19 Aug 2014 13:15:04 -0700 (PDT)
Received: from mail-qa0-f47.google.com (mail-qa0-f47.google.com [209.85.216.47]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6664B1A6EF1 for <dns-privacy@ietf.org>; Tue, 19 Aug 2014 13:14:55 -0700 (PDT)
Received: by mail-qa0-f47.google.com with SMTP id i13so6017337qae.20 for <dns-privacy@ietf.org>; Tue, 19 Aug 2014 13:14:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=Kf9Q+Bf0o7zqJ2bs8Y1nTedTv0cTy56+8muOKU5Z9aE=; b=VOEP7nnJsP52mGkJYptjNvn4VX9EwiKLvTSK/cig4H0FGKLioZOeGs+W60D6TvOmsG CJGUKfuZmc2S/LslsfFXbN7hzWFXMkzS1sDAIkF/65dZIpKS54TnUEq1Ryd0EmAJiYeM TAEia9YrlgkaO5Z6VQq/+GY7wlKP1fu9yche8qCMRPZvMRLiqy3FhYqREIj79HZvLZw+ ZWTzXxqibJnIG1HUiJBbhQsc0OkSKhTsh5xJYlFMXqWEsjY24UP2OGoIejynnrJFc32c nz1DgEe/FrSbgeEd31GS1cDAY5rPe7YYfJsYVTRo6xKO3SJZPkFIwjTQX9CfrSjRhmZj VGng==
X-Gm-Message-State: ALoCoQlLtJtURJziPmvYq/nxFgPIBpkAxYj5V0V9GRGPE9RqVyrvjX8a3oF7y+oqvJAjfJjL9McU
MIME-Version: 1.0
X-Received: by 10.140.94.100 with SMTP id f91mr66634783qge.41.1408479291299; Tue, 19 Aug 2014 13:14:51 -0700 (PDT)
Received: by 10.140.91.50 with HTTP; Tue, 19 Aug 2014 13:14:51 -0700 (PDT)
X-Originating-IP: [95.128.43.164]
In-Reply-To: <alpine.LFD.2.10.1408191546090.22835@bofh.nohats.ca>
References: <20140818175701.12317.96810.idtracker@ietfa.amsl.com> <FF99C324-2959-48EB-A187-18007F7AA364@vpnc.org> <CAJE_bqeoUx2gFsnVgZYfoWASkHaMgKW4tR552YRmQ4ZNzH1M=g@mail.gmail.com> <361D96E3-CD31-4E2B-88E3-46E44D6F8C3D@vpnc.org> <CAFggDF3G3JEnPLVqZ2PjX8hCBP5-rkh7jGBWMvMxgpFSN7g1yw@mail.gmail.com> <alpine.LFD.2.10.1408191546090.22835@bofh.nohats.ca>
Date: Tue, 19 Aug 2014 20:14:51 +0000
Message-ID: <CAFggDF0whYTbgu5ZCLEAhthcuhFKSJ+ma=_e=cDJa4R3Cg01ng@mail.gmail.com>
From: Jacob Appelbaum <jacob@appelbaum.net>
To: Paul Wouters <paul@nohats.ca>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/dns-privacy/gklPOX6NCiXocNTyUtp_bsTNllI
Cc: dns-privacy@ietf.org, Paul Hoffman <paul.hoffman@vpnc.org>, 神明達哉 <jinmei@wide.ad.jp>
Subject: Re: [dns-privacy] New draft on encrypting the stub-to-resolver link: draft-hoffman-dns-tls-stub-00.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Aug 2014 20:15:06 -0000

On 8/19/14, Paul Wouters <paul@nohats.ca> wrote:
> On Tue, 19 Aug 2014, Jacob Appelbaum wrote:
>
>>> Sure, let's be explicit. Proposed addition to the policy section:
>>>
>>> If a recursive resolver does not respond on port 443 or set up a TLS
>>> session, the stub resolver MAY use the normal DNS protocol on port 53.
>>>
>>
>> I'm not a fan of making it possible for an attacker to downgrade with
>> a single (non-cryptographically protected) TCP RST packet.
>
> So you would want DTLS?
>

It depends; perhaps? An on-path attacker can mess with TCP and UDP by
dropping. There isn't much to be done there. An off-path attacker (eg:
QUANTUMINSERT) is a Machine-On-The-Side and in that case, TCP still
falls over. DTLS may do better, I'm not sure.

> The ALPN would also mark you censorship. In fact, just attempting to get
> encrypted DNS in whatever way would mark you as such. If you tunnel all
> of this over 443, they will just have to block all of 443.

I'm not clear that this is true - I think encrypting all DNS provides
a kind of herd immunity: this is the way the network works and major
DNS providers will support a secure option. If only those that need
it, ask for it, then yes, it is a distingushing feature that is likely
a problem.

And yes, they'd have to block all of 443. This doesn't happen as often
as we'd think, I suspect. Also, if they have a single switch - they
kill it for *everyone* and not only for selected folks by keyword.
This creates a lot of social pressure.

In my experience with Tor being blocked in Iran - it is much easier to
block Tor than it is to block Google. This isn't just technical. It is
also about deployment - the one everyone uses is normal and not as
acceptable to block all of the time.

>
> An attacker on the local network could just forge the DHCP server.

A lot of people manually set their DNS servers in censorship prone
countries. I've heard that Google selected 8.8.8.8 for cultural
reasons in addition to being a nice short number.

> But
> an attacker on-path on the internet could indeed send an RST packet.

An attacker can inject if they've seen the handshake - they don't have
to be on-path to tear it down.

> However, most likely an attacker that can inject a packet can also
> filter one out, so how common is the case of a non-local RST attacker?
>

I think it is pretty real:

  https://en.wikipedia.org/wiki/QUANTUMINSERT#QUANTUM_attacks

To compare - Iran has edge routers that are often hostile (on-path)
and the NSA/GCHQ have that at defense networks, as well as off-path
injection all around the world.

We have to deal with both kinds of attackers, I think. Jerks. :(

> If you are connecting to a remote DNS server for TLS, I would assume
> you also have an out-of-band key (like a TLSA record) to authenticate
> the resolver. You would detect this failure and know you are on a
> hostile network.
>

Yes, that sounds about right.

>> If I
>> configure a resolver and declare it to be secure (and use it as such),
>> why not fail closed? Why not detect that as an attack or as outright
>> network censorship?
>
> I don't think the draft says anything about how to handle failure?

It should. We should actually handle attacks in the wild and not treat
them as rare flowers that are never expected to be found.

>
>> This seems to fail if there is an active attacker that blocks TLS
>> traffic - is there a way for the resolver to somehow learn in-band on
>> port 53 that this attack is happening?
>
> If you would publish a TLSA record, then yes. eg:
>
> _443._tcp.8.8.8.8-in-addr.arpa IN TLSA <google-dns-pubkey>

I think that is a good start but I was thinking about service
discovery - that is I have to know to look for that record.

>
> Seeing the responses so far, I think the document needs to be much
> clearer with respects to "last mile" versus "remote DNS server"
> encryption.
>

They're essentially the same problem when you use OpenDNS, Google's
public DNS, Sonic.net's awesome resolvers, and so on.

All the best,
Jacob

v2.23.0 | Report a Bug | By Email