IETF Logo Mail Archive

Re: [dns-privacy] [Ext] Threat Model

Brian Dickson <brian.peter.dickson@gmail.com> Wed, 06 November 2019 00:36 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18EC51200C3 for <dns-privacy@ietfa.amsl.com>; Tue, 5 Nov 2019 16:36:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id trKVVn7uSN3N for <dns-privacy@ietfa.amsl.com>; Tue, 5 Nov 2019 16:36:03 -0800 (PST)
Received: from mail-vs1-xe35.google.com (mail-vs1-xe35.google.com [IPv6:2607:f8b0:4864:20::e35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E01D8120154 for <dns-privacy@ietf.org>; Tue, 5 Nov 2019 16:36:02 -0800 (PST)
Received: by mail-vs1-xe35.google.com with SMTP id w25so14807600vso.4 for <dns-privacy@ietf.org>; Tue, 05 Nov 2019 16:36:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nqGVlgJhVM6ZhbsMk379kSLN9rxtZnQNMrHeuEo5kcU=; b=sAwBjiiv1xNn/p7HJOaeCDWtjujkdrod16SnnKQMuwsqpK2gbXkW5GHWUJtdlw6+4t WjVsI2SdySFgN1sWL76UNiH80h8OpQkqG6+lf/dHrhBlm3GgsUARQvr8QE3YPDV4TmZA U9BbDpWNh2Mhn05TifFm6FGnkbO0UypIK2Ci7bz0H9fN1INyUvZCzPIDCefmZqk0DcaB nSOSSEwVCrVIzoONyIBhdH61X4uz33dgajrfM3rMVfwPdhgKiP7Hn8HnLZGUV57CGetJ hTBBN7KYEncQ/sJOyY4LyzkQYfj8662/0xrqux6/sckfJejyb2KUg9LyfM4jlqrd2sOe MaDQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nqGVlgJhVM6ZhbsMk379kSLN9rxtZnQNMrHeuEo5kcU=; b=iOhZ+iKPVTaxOpGGvT1Dx9q7D4TEhGT9KwCJHyjbBCaUCt0QvwZAAM5Y1SmMfYFYQk MjZeKwTVw3ydbtTiX14F+v8LqnfCjrjOz+zzElIuc155zmeJIRgrFdMXmlPg3iCCqYEj 0Dd38401h3YzQ0OUv8r9Vxf4qfh7ArEDx/sBni94LAzH8bMIbJ30UoruzgFPukZaMmRg cahUgrZY7AaoHidtlXJNTfty9BhCYgh04/Pea9PsgO59QxSqcUBiczbPJSPosxKT3Q24 +efbKXxKMyVOCj4QwawGveZXXGWHU8RIGL9SStnTGNSWZXTmhYBQY6KVdAez5MszmDQF EGwg==
X-Gm-Message-State: APjAAAUK3LmkTJ7ZWQhjnqKyHyyP4RjMxsoe4U2eNeuLXTfSktX4ua4u 7M7pwyT0H0EKMHLw1HUPk7dNKAKH88xGrpZLqhyvSw==
X-Google-Smtp-Source: APXvYqz/f5AywjjFONu6ll/c4b9zQFV6dG97Ow+BaugnpN4hGfi6aaIlV3gdydieJK7+apPW2pRmIScUIxpOVGkk5o0=
X-Received: by 2002:a67:e451:: with SMTP id n17mr6010862vsm.199.1573000561701; Tue, 05 Nov 2019 16:36:01 -0800 (PST)
MIME-Version: 1.0
References: <CABcZeBMQEJ=LE8ATQYnJj59srsK47hf4HT3BMMg3X2crVfSUXQ@mail.gmail.com> <CABcZeBOhSYvqPyDcm9zbMYRc03DmPcCKYTYE-uC54=Mm9HMcnQ@mail.gmail.com> <99ee8cd4-9418-2d64-57fd-487b4f2c3a1a@cs.tcd.ie> <CABcZeBOBFFi=dA_XEzhkYvRU6kzvND5CMQcMoyriYusDH0RbKQ@mail.gmail.com> <CAHw9_iLz5No-SKa74To03ida3DHfeKY58CrJFJpLph8FsvzNQQ@mail.gmail.com> <CABcZeBMFDbATVRvJvvs5b4giQ=0B82i76ahv-ffDgWJOzqZccw@mail.gmail.com> <CAHw9_i+e8veeAz+KYXjvchmjKJz6OZHX1pEYx_Tvs8n5xnfBnQ@mail.gmail.com> <6D6233DC-4D7C-45BC-9D4E-08E6E882C1A5@nohats.ca> <alpine.DEB.2.20.1911042035571.29247@grey.csi.cam.ac.uk> <CAH1iCioH86q1CX7A+F8ON4uzpGqipUy8m3iczyNqSKirAsYBQg@mail.gmail.com> <alpine.LRH.2.21.1911041652450.5093@bofh.nohats.ca> <CABcZeBOtY3saJe5DWTu=Jqy5guqdoKPKSR+XYddbvxwxKsxmig@mail.gmail.com> <CAHw9_iKaeT0VEjZfoCi9Nddc+VBBj0JHWDHv+=g3xzvb6L+Nvg@mail.gmail.com> <alpine.LRH.2.21.1911050941090.30046@bofh.nohats.ca> <CAHw9_i+MxMCd7dDO7N0-hc1SDjvBeoLoUvbg4JWDzXyjR0u4xQ@mail.gmail.com> <alpine.LRH.2.21.1911051437000.11602@bofh.nohats.ca> <CAHw9_iKhaA9Nb+eH92YfzdepU90_DgLyS-ZDaMAehKOFO0ksEA@mail.gmail.com>
In-Reply-To: <CAHw9_iKhaA9Nb+eH92YfzdepU90_DgLyS-ZDaMAehKOFO0ksEA@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Tue, 05 Nov 2019 16:35:49 -0800
Message-ID: <CAH1iCioUiSW7POYmEs5Uz3kmOfa5n_4k6dMisAnp97OrJ44qLQ@mail.gmail.com>
To: Warren Kumari <warren@kumari.net>
Cc: Paul Wouters <paul@nohats.ca>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b637ad0596a2bb33"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/sZ37F1AlsoNrmgVOKZIOUXBj9b8>
Subject: Re: [dns-privacy] [Ext] Threat Model
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Nov 2019 00:36:06 -0000

On Tue, Nov 5, 2019 at 3:14 PM Warren Kumari <warren@kumari.net> wrote:

> On Tue, Nov 5, 2019 at 2:40 PM Paul Wouters <paul@nohats.ca> wrote:
> >
> > On Tue, 5 Nov 2019, Warren Kumari wrote:
> >
> > > Because then I need to probe them on 853 and wait N before trying on
> port 53, or I will
> > > only get any sort of protection for name-servers which I’ve spoken to
> recently enough that
> > > I have them in cache — that works for e.g: ns1.google.com, but not
> ns0.nohats.ca
> >
> > Well, that's how we do things when remembering per-server
> > characteristics, which we need to do anyway in case of outages.
> >
> > Like EDNS0 support and DNS COOKIES support is remembered and cached,
> > why wouldn't resolvers do the same for this property. We didn't put
> > "ns-edns" out there in name hacks either. Why start now?
>
> For things like COOKIES I don't need knowledge of the server *before*
> I contact it -- when I want to lookup www.nothat.ca, and get back a
> cookie, I've learnt something useful for future connections.
>
> For privacy, I really don't want to have to leak the fact that I'm
> looking up secret.nohats.ca because I happen to be the first user who
> is (recently) asking for a name on ns0.nohats.ca.
> a.ns.facebook.com is popular and so in basically all caches, all the
> time - and so users looking that up would get privacy most of the
> time.
> ns01.kumari.net is (obviously) less popular, and so basically never in
> caches -- and so anyone looking up kink.kumari.net will be exposed.
>
> Now, I really don't think it is fair and right that people looking up
> Facebook (or Google) get privacy simply because those sites are
> popular, and people reaching my personal site don't.
> I could get privacy back by moving my DNS to a large commercial DNS
> hoster (ns59.domaincontrol.com is in many caches, much of the time),
> but this seems like an even worse push.
>
> I'd like some system where I can signal that I support DoT:
> 1: without my parent having to do anything (like be upgraded to support
> DoT)
>
> 2:  without having people to probe and wait for a timeout
>
> 3: with my users first connection protected, so they don't have to
> lookup safe.kumari.net (to make sure that the resolver knows that
> ns01.kumari.net supports DoT), or something like _dot.kumari.net
> before looking up secret.kumari.net.
>
> 4: without expecting everyone to support DNSSEC.
>
> I'd like to see something less stupid than ns01-dot.kumari.net, but I
> don't really see what else the child controls at the parent (without
> having a separate set of info / RR type / encoding stuff in DS, etc)
>

So, I'm going to rephrase some stuff, in an attempt to capture what I
believe are either (a) requirements, or (b) changes to DNS, in what you
describe.

Then, I'll ask some leading questions, and make some assertions, and see
where that goes. :-)

So, currently, there is no recursive-to-authoritative privacy standardized,
per se, even if there might be some early implementations (DoT in OTE at
godaddy for example).

The first question is, since no standard yet exists, why NOT include a
requirement for DNSSEC in order to do privacy to the authoritative, even if
only in the secure bootstrap process?
It's all green-field, right? I.e. excluding DNSSEC a priori seems overly
restrictive. (But let's leave that for now. But please answer this
question, it's something I'm interested in.)

Second, there seems to be an inherent leakage of information caused by an
association between the NS name of your domain and the domain and its
children.

Suppose the name server name, was decoupled from the domain you care about,
and all the information about that name server were in a different domain,
where the name of the name server was served from another name server whose
name was an in-bailiwick name for that other domain, and the query for the
name server for the domain you care about was only ever done over an
encrypted connection. (Whew.)

E.g.
kumari.net NS ns-ku.secret-nameserver-12345.net
secret-nameserver-12345.net NS ns1.secret-nameserver-12345.net
ns1.secret-nameserver-12345.net A <ipv4>
ns1.secret-nameserver-12345.net AAAA <ipv6>

Then have records for the DOT bits for both ns-ku and ns1 inside the
secret-nameserver-12345.net zone.
(Pick your poison on what those records would look like, anything from TLSA
records to A/AAAA records to some new RR type, or even SRV records.)

The privacy stuff would be a two-phase privacy bootstrap.
First, do the query to get the needed privacy stuff for
ns1.secret-nameserver-12345.net over a non-private connection.
Then, do the query to get the needed privacy stuff for
ns-ku.secret-nameserver-12345.net over a newly-established DoT connection
based on the previous step.
Third, do the query toward ns-ku.secret-nameserver-12345.net over another
DoT connection based on the previous step, to obtain any records within
kumari.net in a private fashion.

To know that any given query towards secret-nameserver-12345.net was
intended to get the stuff for kumari.net, would require more deductive
reasoning than in your original examples.

Also important is that the only information that would need to be stored on
secret-nameserver-12345.net would be an (arbitrary) nameserver name, plus
A/AAAA glue data, plus whatever other parameters are needed for DoT
signaling.

Thus, it would be very feasible for someone to offer a privacy-enabling
service like secret-nameserver-12345.net, that would provide a
stegonographic cover for all its clients, and those clients would not need
to identify their domains per se, and would eliminate the information
leakage of using a single domain with in-bailiwick name for the name server.

I.e. you would not need to operate secret-nameserver-12345 yourself (but
you could), and if you didn't, you would get a lot more privacy than is
otherwise possible (I think).

Additionally, the bigger and more popular secret-nameserver-12345 is, the
more likely it is in cache, allowing very private bootstrapping of the
privacy-protected DNS for kink.kumari.net.

I think this does #1 and #2, probably does #3, and #4 is open for
discussion.

Thoughts?
Answers?

Brian

v2.23.0 | Report a Bug | By Email