Re: [DNSOP] DNSOP: question about hardening "something like mDNS" against attacks

Ted Lemon <> Mon, 26 October 2020 20:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 29BD23A0EEE for <>; Mon, 26 Oct 2020 13:39:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.886
X-Spam-Status: No, score=-1.886 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NO_DNS_FOR_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id e4hmmW527GbQ for <>; Mon, 26 Oct 2020 13:39:13 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::729]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7EBD13A0EE9 for <>; Mon, 26 Oct 2020 13:39:13 -0700 (PDT)
Received: by with SMTP id q199so9705521qke.10 for <>; Mon, 26 Oct 2020 13:39:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=YjSDRUJMS0VNoA9NxlM3Rw+LlP4ojUIkaOLWiNdyMcQ=; b=w7zkbfl1EHTAHGnmQm9txhFrBNJw3jUNPUJH/PNsdnB9Ta+AfhUJtxUDMdC/lwEa6s qsXw833EfaVoBMV+DUw0YaYXkVdwWWpi1kVmyrL/m4pssjvre3P5k2QiQOh/SIjdhcxf 4w42baDVyy6vQvfevWL2Yq5ZuB//6PGVxUvQ21RRIjMvHK4UJWGHyHx81mBoYwuO5xZt PBkjFt08IgNGujY4HB6fAb60RbdUPzlD7HkvuJ6O26Mr9i2dTLXoL6neiUwiVQ62ZQmd Ntkuyx1CdyrtjNsMBaIN0PdRroeJRG1MNB520xNwOjVtu3KPkZS7Rz8Pb7n3FCrBZLU+ /oOw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=YjSDRUJMS0VNoA9NxlM3Rw+LlP4ojUIkaOLWiNdyMcQ=; b=fbaoRvO2QUkRe6x7RBDSSSjMBI//t8KYmP38QxXUWFeuW0q7FVa8JDXZeykIRuFnj4 ueKQGIVv99612vYXTa+t0Y9w2UHBu/cehcCPpt40ebqrpmX/eFKRm03B1u8/0mx70SDF 7dKqcdm3JkeLe9FrLH8/NchXeih6tDErOyreN69EiREhFDZStHUy5wYDKEG8BW6mmUi1 gjxn7dH5nDf4f3xOmKzGQ3akhWBYaeme50L0673RBQJBaYwlEyOONogKuB929pvSBKgn MDAkrgCZXiSWx35zRLGJMya1QNcCWUbcwQKl3hKlKjVaEpMcL2h8wEWupMWNPqTrKbh1 L1Cw==
X-Gm-Message-State: AOAM533Pgu0kD9nteAmSWzwdkcYIaLv7JJuYkTm3iLeaUEvvU2n4K754 l6RgTP0qRoOlspfohSYepRVivg==
X-Google-Smtp-Source: ABdhPJyGhnoGDV4SKvwe99qvscOeObMZEZ4iz4r/W/RQ3HJeiDItGe1CuWvJBVUOsVJ5qhSgrBFnDA==
X-Received: by 2002:a37:686:: with SMTP id 128mr18011205qkg.421.1603744752225; Mon, 26 Oct 2020 13:39:12 -0700 (PDT)
Received: from mithrandir.lan ( []) by with ESMTPSA id j8sm7425267qke.38.2020. (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Oct 2020 13:39:11 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.\))
From: Ted Lemon <>
In-Reply-To: <>
Date: Mon, 26 Oct 2020 16:39:10 -0400
Cc: Jared Mauch <>, dnsop <>,
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <> <> <>
To: Toerless Eckert <>
X-Mailer: Apple Mail (2.3654.
Archived-At: <>
Subject: Re: [DNSOP] DNSOP: question about hardening "something like mDNS" against attacks
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 26 Oct 2020 20:39:15 -0000

On Oct 26, 2020, at 4:14 PM, Toerless Eckert <> wrote:
> And the question from the AD was what could be done. So, do you have any
> implemention suggestion ? Are there any sugestions for mDNS ?

There are no simple mitigations. If there were, they would already be in the protocol.

> Btw: I do agree that for most use of mDNS as it is relying on dynamic ports,
> my suggestion would create an undesired trend of allocating static port numbers.
> This is also true for GRASP in general, but for the specific use-cases
> in mind in my text, which are really inside-network infra protocols, the argument could be
> made that static port allocation was indeed well feasible (as we're talking about a
> very small number here) . But we had not done it because we hadn't vetted the benefits
> of doing such a port allocation.

If it’s a multicast discovery protocol with no authentication, then constraining the set of allowed ports just means that the node that’s attacking you has to be able to listen on that port, which it likely can. So I think this reduces function without increasing hardening.

What actually hardens mDNS is that it’s a link-local protocol. It doesn’t work across links. This limits the attack surface. But there’s no way to eliminate the attack surface.  If I were in Ben’s shoes, I’d be asking you to change the protocol to support authentication and ToFU as a hardening strategy, with some better trust establishment mechanism as future work based on the existing presence of crypto signatures. But the current consensus of the IETF is apparently that ADs aren’t allowed to insist on things like that. :(