IETF Logo Mail Archive

Re: [dns-privacy] Trying to understand DNS resolver 'discovery'

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Wed, 27 November 2019 08:48 UTC

Return-Path: <tirumaleswarreddy_konda@mcafee.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70DCD12080A for <dns-privacy@ietfa.amsl.com>; Wed, 27 Nov 2019 00:48:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.457
X-Spam-Level:
X-Spam-Status: No, score=-1.457 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=1.242, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OjzS5rFzuwBG for <dns-privacy@ietfa.amsl.com>; Wed, 27 Nov 2019 00:48:08 -0800 (PST)
Received: from us-smtp-delivery-140.mimecast.com (us-smtp-delivery-140.mimecast.com [216.205.24.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9A1312003F for <dns-privacy@ietf.org>; Wed, 27 Nov 2019 00:48:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=mimecast20190606; t=1574844486; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=kos4DrnIqIQqcceQLwxVZLf5zNFWX1N8kJp2njeXYh4=; b=U0jPFD31QWf4M73OVHCiMdu4YtXcILscmGe+sTAEdPHF/E9UcGDsKEvH9lr17IfEWTSCMA rGbsQUPieS9EydiXL1ZX1hB3j+ubR4CwQPWehJDYOavIl9W2lxr6N1ThoYxtOAs6Aml6Qq f4oF3iBcNrIsCqIAxwZelmilg35Zm5k=
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03lp2055.outbound.protection.outlook.com [104.47.41.55]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-367-JeQGJhkLM6uUfOxt_OL6PQ-1; Wed, 27 Nov 2019 03:48:04 -0500
Received: from CY4PR1601MB1254.namprd16.prod.outlook.com (10.172.118.12) by CY4PR1601MB1207.namprd16.prod.outlook.com (10.172.120.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2474.22; Wed, 27 Nov 2019 08:48:03 +0000
Received: from CY4PR1601MB1254.namprd16.prod.outlook.com ([fe80::4aa:ad9b:390a:f7af]) by CY4PR1601MB1254.namprd16.prod.outlook.com ([fe80::4aa:ad9b:390a:f7af%12]) with mapi id 15.20.2474.023; Wed, 27 Nov 2019 08:48:03 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: [dns-privacy] Trying to understand DNS resolver 'discovery'
Thread-Index: AQHVpH/sjJ4BY7ksP0eWka61gH491qeesWrg
Date: Wed, 27 Nov 2019 08:48:02 +0000
Message-ID: <CY4PR1601MB1254B64F7AC87781D0765204EA440@CY4PR1601MB1254.namprd16.prod.outlook.com>
References: <CAMm+Lwig+90Riqav6BT6D-0n4pZJFgAr3p996Q+qXJSPt0kqBQ@mail.gmail.com>
In-Reply-To: <CAMm+Lwig+90Riqav6BT6D-0n4pZJFgAr3p996Q+qXJSPt0kqBQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.4.0.45
dlp-reaction: no-action
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9ba72d11-f9d2-443b-2b88-08d7731683d1
x-ms-traffictypediagnostic: CY4PR1601MB1207:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <CY4PR1601MB12078B432C6DE4F834B28A26EA440@CY4PR1601MB1207.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 023495660C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6019001)(4636009)(39860400002)(366004)(376002)(396003)(136003)(346002)(269900001)(32952001)(189003)(199004)(7736002)(53546011)(6506007)(102836004)(8676002)(229853002)(26005)(5024004)(14444005)(66946007)(186003)(14454004)(6116002)(55016002)(99286004)(66066001)(25786009)(66574012)(81166006)(74316002)(6306002)(54896002)(7696005)(6436002)(316002)(446003)(110136005)(9686003)(236005)(76176011)(11346002)(81156014)(606006)(52536014)(33656002)(86362001)(966005)(71200400001)(9326002)(256004)(66446008)(64756008)(71190400001)(66556008)(66476007)(80792005)(478600001)(3846002)(790700001)(5660300002)(2501003)(6246003)(76116006)(8936002)(2906002)(85282002)(256605007); DIR:OUT; SFP:1101; SCL:1; SRVR:CY4PR1601MB1207; H:CY4PR1601MB1254.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: PNSZkJ+EYfUTFTn9SL59OsqNqG/cXRmPcMAl07ngR491UxeGrCPNFxTS1RD2dDtEsioV/p/t4XkBD9ebSv42emxLP2C732yqMMzTgbGkPDPSMM0tqRZg2MOJWVO/HC1KKvdiK2y8s78BEdqp9L8ys/DM7pj2S5+lAT7QeicF1F0A6mYb8Mz3WLkG7JCpi+PLa7m5UfHMh2Sj1x0FcUmHqzS6XJdbxWhKgT5UMjwujLF+OCH8RsNbvetmDNBM6WspyfcNGwpGhGz+P0OBb1hsr186d0eN9fVzp3BnIeihkLSu1XOY69hY2Km5lBfOUzYJvVpMJ2mMNJUCHNYgGZguIz3pYvvm5p9hKvVcIeVfGKNyDiboLXOdpGEYpsVb+uOByKHeQkRY/8GK7BPju7XwZCtyaRNwGD/njyUPNlDn0eKegEyXDNozzAb+9gRuHNvs5IjepXtE0yZ0jQqmTHnXaOT6hmEYanw3KNiY0s2cI3w=
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: mcafee.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9ba72d11-f9d2-443b-2b88-08d7731683d1
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Nov 2019 08:48:03.2033 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pZ59m51nthTHC2ZaBxOzo7BGQ2I4b7M1zqtb+BCE4f4mCAtgxotORctaVvhc0OZAbwcVnM5fXeTEYLZfV6YGwVjkFcqHWnBWCr9e1hBTMZClaZPGGsXtyhVFwoj+gvRs
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1601MB1207
X-MC-Unique: JeQGJhkLM6uUfOxt_OL6PQ-1
X-Mimecast-Spam-Score: 0
Content-Type: multipart/alternative; boundary="_000_CY4PR1601MB1254B64F7AC87781D0765204EA440CY4PR1601MB1254_"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/hsA9IBAO6D1vo-n76-lXawtSkrc>
Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 08:48:11 -0000

Hi Phillip,

Nice summary, Please see inline

From: dns-privacy <dns-privacy-bounces@ietf.org> On Behalf Of Phillip Hallam-Baker
Sent: Tuesday, November 26, 2019 11:05 PM
To: dns-privacy@ietf.org
Subject: [dns-privacy] Trying to understand DNS resolver 'discovery'


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

________________________________
This notion of DNS resolver discovery seems very strange to me. There are three ways in which a DNS resolver can be realistically determined by a client whether that is in the platform (Windows/OSX/Linux/etc) or the application.

1) Promiscuous DNS
    The client obtains the information to connect to a resolver either as part of DHCP configuration or by further interrogation of the local network.

[TR] DHCP and NDP can be spoofed, and I don’t think secure neighbor discovery is deployed. https://tools.ietf.org/html/draft-reddy-dprive-bootstrap-dns-server-05 proposes a mechanism to securely bootstrap endpoints to discover and authenticate DoT/DoH servers provided by a local network.

2) Admin/User Configured DNS
    The client obtains the information to connect to a resolver through an Administrator or User configuration action. This may be inserting an IP address (8.8.8.8/1.1.1.1/etc<http://8.8.8.8/1.1.1.1/etc>) or some form of DNS label.

3) Application/Platform Provider Configuration.
    The application or OS platform can simply ignore user preferences and choose a DNS provider of its own liking.

This is not an exhaustive enumeration of the possibilities of course. But please, assure me that we are not the brink of users being faced with pop ups asking them 'would you like to choose me as your DNS provider'.

Of these three models, I have always considered (1) to be a security hole. It made some sense in the days when the smallest machine connected to the Internet was the size of a washing machine and portable computers didn't exist. But not today.

[TR] IoT devices may also want to use DoT/DoH servers for both privacy and security.

[As a pragmatic matter, it will continue to be necessary for devices to use the local network DNS resolver for the purpose of connecting to WiFi in kiosk type environments. ]

We might well see the third model being imposed by government decree in some places. Along with the DNSSEC root key to be used for validation.

Yes, there are situations where split DNS has to be considered so that the device knows that when it is on the employer network it behaves differently. But I see those as being a subset of VPN config. If Alice works for example.com<http://example.com>, then she can install a signed config file stating which DNS resolvers and IPSEC (or other VPN) parameters to use on which networks for which sets of DNS addresses.

[TR] Yup, it is not a problem for IT managed or MDM devices but a challenge for BYOD devices.

Cheers,
-Tiru

So what I see is a requirement for DNS resolver configuration. We already have rfc6763 to tell us how to get from a DNS label to an Internet service.. Albeit one that presupposes the existence of a resolution mechanism. I don't see it being problematic to use the local DNS to do this resolution provided that 1) we have the means to authenticate the connection and 2) we only use this mechanism once, to perform initial configuration.

DNS resolution service providers do need to change their IP configs from time to time of course. But there is an expectation that the resolver IP is stable over very long periods of time. Moving to DNS names for resolvers does not free us from this expectation in this case.

In my view, choice of a DNS resolver should be an event backed by ceremony so while I think we can and should insist on DNSSEC authentication for the resolver[1], there is certainly a potential role for a WebPKI certificate to establish accountability (i.e. EV). There is also a potential role for use of rfc3709 (logotypes) to provide a strong security signal during a one-time configuration operation.

[1]  Even if the local resolver does not support DNSSEC or insists on the use of an untrusted root, the DPRIV service being connected to can provide this information as part of the initial handshake.

v2.23.0 | Report a Bug | By Email