IETF Logo Mail Archive

Re: [dns-privacy] Trying to understand DNS resolver 'discovery'

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Wed, 27 November 2019 14:22 UTC

Return-Path: <tirumaleswarreddy_konda@mcafee.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62ACF120915 for <dns-privacy@ietfa.amsl.com>; Wed, 27 Nov 2019 06:22:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6vODSdFAIpps for <dns-privacy@ietfa.amsl.com>; Wed, 27 Nov 2019 06:22:36 -0800 (PST)
Received: from us-smtp-delivery-140.mimecast.com (us-smtp-delivery-140.mimecast.com [63.128.21.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 468EA12096A for <dns-privacy@ietf.org>; Wed, 27 Nov 2019 06:22:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=mimecast20190606; t=1574864555; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=EptihJFgvEQOkE/MEQSzZlMlwEQHXnXTqGpKfthMWzg=; b=YqK30NsIdvY4vOyj7liOftxSBmxkkWg4UXjXB1aSnRnTnBN3DC1Jxpk+V0Jiegh3gxlE2Q XUp84f9ELQzleIBRgfpMt1OdqOYd72obMuvMUlhnHQ2dGzDEZ15JDl/mEnL4h4OpHYk1UV 71OsfwJNpaxOMSXBEE5It3WrNaoXxHU=
Received: from NAM04-CO1-obe.outbound.protection.outlook.com (mail-co1nam04lp2051.outbound.protection.outlook.com [104.47.45.51]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-316-E2X2qW9HNPKzoLqdvz3m2A-1; Wed, 27 Nov 2019 09:22:33 -0500
Received: from CY4PR1601MB1254.namprd16.prod.outlook.com (10.172.118.12) by CY4PR1601MB1239.namprd16.prod.outlook.com (10.172.119.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2474.21; Wed, 27 Nov 2019 14:22:31 +0000
Received: from CY4PR1601MB1254.namprd16.prod.outlook.com ([fe80::4aa:ad9b:390a:f7af]) by CY4PR1601MB1254.namprd16.prod.outlook.com ([fe80::4aa:ad9b:390a:f7af%12]) with mapi id 15.20.2474.023; Wed, 27 Nov 2019 14:22:31 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Neil Cook <neil.cook@noware.co.uk>, Stephane Bortzmeyer <bortzmeyer@nic.fr>
CC: "dns-privacy@ietf.org" <dns-privacy@ietf.org>, Phillip Hallam-Baker <phill@hallambaker.com>
Thread-Topic: [dns-privacy] Trying to understand DNS resolver 'discovery'
Thread-Index: AQHVpH/sjJ4BY7ksP0eWka61gH491qedvvOAgAEMS4CAAERloA==
Date: Wed, 27 Nov 2019 14:22:31 +0000
Message-ID: <CY4PR1601MB1254D915F946F255B2B53DC8EA440@CY4PR1601MB1254.namprd16.prod.outlook.com>
References: <CAMm+Lwig+90Riqav6BT6D-0n4pZJFgAr3p996Q+qXJSPt0kqBQ@mail.gmail.com> <20191126180441.GA4452@sources.org> <4E2DE849-CC35-4675-9A41-CD134D65371A@noware.co.uk>
In-Reply-To: <4E2DE849-CC35-4675-9A41-CD134D65371A@noware.co.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.4.0.45
dlp-reaction: no-action
x-originating-ip: [49.37.206.28]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 01858174-ec47-4ca3-8b6c-08d773453d76
x-ms-traffictypediagnostic: CY4PR1601MB1239:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <CY4PR1601MB1239DF0E29C2078717A2488CEA440@CY4PR1601MB1239.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 023495660C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(39860400002)(136003)(366004)(396003)(346002)(13464003)(199004)(189003)(32952001)(25786009)(7696005)(6306002)(71200400001)(102836004)(55016002)(9686003)(76176011)(7736002)(14454004)(6436002)(6506007)(110136005)(316002)(33656002)(71190400001)(53546011)(99286004)(66946007)(81166006)(5024004)(76116006)(256004)(8676002)(80792005)(305945005)(74316002)(5660300002)(229853002)(8936002)(81156014)(66476007)(2906002)(186003)(66574012)(66066001)(6246003)(4326008)(966005)(66556008)(66446008)(6116002)(26005)(3846002)(446003)(52536014)(86362001)(478600001)(14444005)(11346002)(64756008)(54906003)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:CY4PR1601MB1239; H:CY4PR1601MB1254.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: LNzwRC9pvGjDep3Ov3VKHa5j6I24w8acB9XTXH/kUlhXVkZ7PQHkDv3PaSFGhrFqxn9dTi19XdFIVjRYR/QmdyAmHk/wlmFfImdN86iKZIU4l2BvT2lGyakR1xOH5iO6YaZG15bMuo10Fe4xpCqb9F/ghoCI0YSSMngV064xemj1Qu2FXA+V7xS0uN7ey45dBY0BXZ9yR0HGGL1X92UpL458C+7HUBHd05CDu6/Hf+pJcwgHzi8HNpiGPQxszbSsk/Dzu0clKxbMozT/JTeWUJmA2VN67OJ/b1x87J8+4reZZIoQhwpMe6zrAdW8bACCRQSF/GG/wX70w6e5UZbKa9bfWynvpZJ5T4kxCE8TzEpdbxthKcgPkJqPN9VrICmJgxK4nKspDCmAjJl0iCY+FMbk1hAmqMdAyu6w4Bnl2u6rje+IiWVxhyPJY6whRQIOQUU7AF6qy8vcrYdgvsLhOTssM0Q9w8bJvhdEZU6vO81yZ7nPE//r2pPwReu7f/yT
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: mcafee.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 01858174-ec47-4ca3-8b6c-08d773453d76
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Nov 2019 14:22:31.6791 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 1+AoP8IuVwTK8v3QQXM7OffeWduJz8f2pbD1wQuavsPI7QdTGz3nxzDF0jVlAp/TnK6ukCTjgZdxO96DeIHgyg8zXUtdYk7r+PgtHeoa+FfhyXhg74nFIJiKW+/bu0tW
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1601MB1239
X-MC-Unique: E2X2qW9HNPKzoLqdvz3m2A-1
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/ojcJUdLasq4ZnT8Y-o8x41zgAqQ>
Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 14:22:39 -0000

> -----Original Message-----
> From: dns-privacy <dns-privacy-bounces@ietf.org> On Behalf Of Neil Cook
> Sent: Wednesday, November 27, 2019 3:35 PM
> To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
> Cc: dns-privacy@ietf.org; Phillip Hallam-Baker <phill@hallambaker.com>
> Subject: Re: [dns-privacy] Trying to understand DNS resolver 'discovery'
> 
> CAUTION: External email. Do not click links or open attachments unless you
> recognize the sender and know the content is safe.
> 
> > On 26 Nov 2019, at 18:04, Stephane Bortzmeyer <bortzmeyer@nic.fr>
> wrote:
> >
> >> Of these three models, I have always considered (1) to be a security
> >> hole.
> >
> > I fully agree. *All* "automatic discovery of the DoH resolver" schemes
> > are broken by design and I really wonder why people keep suggesting
> > them.
> 
> Resolver discovery schemes allow a client to ask the local resolver to provide
> information about the resolver, such as DoH info, as well as potentially other
> information about the resolver. I don’t see why they’re broken by design;
> yes they add no security properties on top of the (insecure) DHCP
> mechanism used to contact the resolver in the first place, but how clients use
> that information is up to them. They may or may not decide to trust that
> resolver, 

The problem with DHCP is the client has no way to know whether the DoT/DoH server is indeed hosted by the local network or by an attacker. For example, consider a network using Quad9/OpenDNS to perform malware filtering but attacker spoofs the DHCP response to convey the network is using CloudFlare DNS server. Chrome would establish DoH with CloudFlare, and the attack is successful. It is also easy for the attacker to get a domain name, and get the certificate signed by the CA (domain validate certificate).

-Tiru

> they may have a preconfigured list of trusted DoH servers, they
> may use it only to bootstrap connections to other servers, as suggested
> below. You may for example prefer your _doh.MYDOMAIN.example/SRV
> request to be sent over an encrypted connection.
> 
> Also without a discovery protocol, the only way to use an encrypted DNS
> connection would be to manually enter it , or use a pre-configured
> centralised DNS service using the Mozilla model. I’d much rather see all those
> existing non-encrypted connections moved to encrypted connections (using
> DoT or DoH) by default - it doesn’t preclude anything else you’ve suggested.
> It also doesn’t means that users who are depending on services provided by
> their local resolver (such as malware filtering, parental controls), would
> continue to be able to make use of them.
> 
> >> So what I see is a requirement for DNS resolver configuration. We
> >> already have rfc6763 to tell us how to get from a DNS label to an
> >> Internet service.  Albeit one that presupposes the existence of a
> >> resolution mechanism. I don't see it being problematic to use the
> >> local DNS to do this resolution provided that 1) we have the means to
> >> authenticate the connection and 2) we only use this mechanism once,
> >> to perform initial configuration.
> >
> > I agree too. A simple _doh.MYDOMAIN.example/SRV request would
> suffice.
> > (Even better, HTTP should support SRV, but I digress...)
> 
> 
> Neil
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy

v2.23.0 | Report a Bug | By Email