IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-06.txt

Warren Kumari <warren@kumari.net> Fri, 13 October 2023 20:30 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9F13C14CE24 for <dnsop@ietfa.amsl.com>; Fri, 13 Oct 2023 13:30:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7C8Bi9jCUu40 for <dnsop@ietfa.amsl.com>; Fri, 13 Oct 2023 13:30:48 -0700 (PDT)
Received: from mail-ot1-x32f.google.com (mail-ot1-x32f.google.com [IPv6:2607:f8b0:4864:20::32f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DAA4C1705F8 for <dnsop@ietf.org>; Fri, 13 Oct 2023 13:17:08 -0700 (PDT)
Received: by mail-ot1-x32f.google.com with SMTP id 46e09a7af769-6c4bad60a1aso1556449a34.2 for <dnsop@ietf.org>; Fri, 13 Oct 2023 13:17:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari.net; s=google; t=1697228227; x=1697833027; darn=ietf.org; h=cc:to:subject:message-id:date:references:from:in-reply-to :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=qJ9bqWuhc8vDWene/87rORjgwZ45bbQhPLyb+oMF7Yk=; b=eyjtgXKHh75zLquyylduTmePyenmtU5AsdU9jDged+3eEHSJ2rbeQ4eYm4iblzBNhg DQGqXOJ7boAQhaVmlBPf3XnWNH0nzOOu9A2xOZRBPKt+zsKOUHZdXVG2Ezyb5PZb4yA6 e/XtmV4Q5BFTKtKe5Xqh80bUr7/QKyLkop8xV2U9R+Rcl3gK0OIKSXyc6dwo13ZD7sBU yKUwBr9mz5xlE1cYqcs9ouGkc4TBo12NPqQ0zN4GSTMIsVgbsWv/JFRaxEpcT5NT+ooL Qy0DvLisOcqVPmv5F0/PbpFo822f/tc3g9Z0Yxok2sH68AJHgf1Lsnx+8epET5LSOBQu NZdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697228227; x=1697833027; h=cc:to:subject:message-id:date:references:from:in-reply-to :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=qJ9bqWuhc8vDWene/87rORjgwZ45bbQhPLyb+oMF7Yk=; b=IIo+rdgWaqSh1stK5PfuPiX8IAhg4NDmkHekgPrSkchVGzLzHgV2wHk+4+0Nro00E0 0y+QNE24a5dC7DDD8XQQ99/38GsZSLOMY3UG3i9qFUeIJBc03cFupNDEVemOB8YFx4Sv 1uPAy7eG0PfbQ5k+8rZJV0nFJQAU5sdkpfUEmCgfCxf3vLLu2VvcyBDWMgV8oRFXbxUb 386lEJL/huNAlE7Qa3GeuWH5HaGRxrlCn8j6Yo2jaMbnYPeELtT7no9n1lMOiyGmcZwU eMrFxPgMJFH51MUwtWo+wW1c5EUfcDuBozWKTZfOm58gM7D7PJtG4MdIDo7gHoZchmHS isvQ==
X-Gm-Message-State: AOJu0YzGBMVLR8Fy1EHF7sNHmqiGx9F/HjqbaMl2v42O1NFkXU6UOOw4 3IHXfi9MqWoLh1y0RRS8zBtbJRWh2R5Mheb2w8EYvRCGzisSBslu
X-Google-Smtp-Source: AGHT+IFUiRLinII6EGb/iF93GVrn/Z+H5cNX4Ig1blxzXcdFj34NwUtCG5Pa+syNj4xJn406YnbtWdpRAKD/Gv3Q6kU=
X-Received: by 2002:a9d:6d0d:0:b0:6c4:6aef:cd58 with SMTP id o13-20020a9d6d0d000000b006c46aefcd58mr26949067otp.8.1697228227160; Fri, 13 Oct 2023 13:17:07 -0700 (PDT)
Received: from 649336022844 named unknown by gmailapi.google.com with HTTPREST; Fri, 13 Oct 2023 16:17:06 -0400
Mime-Version: 1.0
X-Mailer: Superhuman Desktop (2023-10-12T21:33:24Z)
X-Superhuman-ID: lnp1uoh7.e5547975-44df-4ce0-8614-05a580bc3738
In-Reply-To: <CAFpG3gcPwjXq7XVjtU1OVvD3Yb4cOnkbgtSDg-FG65iHi5qCAQ@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
X-Superhuman-Draft-ID: draft000122849267a8a7
References: <DB9PR05MB847355CA18F73D1B8F892C15A3CDA@DB9PR05MB8473.eurprd05.prod.outlook.com> <DB9PR05MB84738B9AA9551E7E116AE491A3CDA@DB9PR05MB8473.eurprd05.prod.outlook.com> <CAHw9_i+bJ3-rJD97Rr21RoX_O58hdEz2DUHxgiheYdsxw4rhsw@mail.gmail.com> <B02CC0F1-C264-444B-8B3C-F60B2E4CA293@apple.com> <CAFpG3gcPwjXq7XVjtU1OVvD3Yb4cOnkbgtSDg-FG65iHi5qCAQ@mail.gmail.com>
Date: Fri, 13 Oct 2023 16:17:06 -0400
Message-ID: <CAHw9_iLnWu5i6sM8U5S=i3FwYqUNQbk7MC7FL2HLEhM_LMuY1w@mail.gmail.com>
To: tirumal reddy <kondtir@gmail.com>
Cc: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>, Vodafone Gianpaolo Angelo Scalone <Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org>, DNSOP WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000954b6606079ebd0c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/FmdvLX1733vHDzf-AKR-oeST_jc>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-06.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Oct 2023 20:30:52 -0000

On Fri, Oct 13, 2023 at 4:05 AM, tirumal reddy <kondtir@gmail.com> wrote:

> On Thu, 12 Oct 2023 at 21:37, Tommy Pauly <tpauly=40apple.com@dmarc.ietf.
> org> wrote:
>
>>
>>
>> On Oct 11, 2023, at 3:17 PM, Warren Kumari <warren@kumari.net> wrote:
>>
>>
>>
>>
>>
>> On Tue, Oct 10, 2023 at 12:56 PM, Vodafone Gianpaolo Angelo Scalone <
>> Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org> wrote:
>>
>>> I really love this draft and would like to see browser side
>>> implementation for the benefit of customers user experience. Today several
>>> services are implemented on top of DNS to filter malicious or unwanted
>>> traffic in an effective way, but customers cannot distinguish the blocking
>>> from a network error. This led to frustration or even worst put them in
>>> danger: a quick solution to the "network error" is to disable the
>>> protection and so be infected, or change browser. The server side
>>> implementation provides all the needed information to build a great user
>>> experience: in the example below I see at least 2 options
>>>
>>> ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24987 flags: qr rd ra;
>>> QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 OPT PSEUDOSECTION: EDNS:
>>> version: 0, flags:; udp: 512
>>> EDE: 17 (Filtered): ({ "c": [https://blocking.vodafone.com/
>>> blockpage?list=malwarecc], "s": 1,"j": "Malware C&C", "o": "Vodafone
>>> Internet Services" }) QUESTION SECTION: malw.scalone.eu. IN A
>>>
>>> Option 1 - better user experience, some complexity to avoid security
>>> risks
>>>
>>> if the contact URI is trusted it is possible to present in the GUI a
>>> real blocking page. The problem is that untrusted providers could use this
>>> method as an attack vector. Potential solutions could be:
>>> Browsers accept Exte4nded DNS Errors only from DoH servers. URI domain
>>> has to be covered by DoH server certificate. There could potentially be a
>>> vetting process e.g. through IANA, whereby filtering providers would need
>>> to register. Only registered and approved providers would then be permitted
>>> to use this method
>>>
>>> Option 2 - Sub-optimal user experience; however, a significant
>>> improvement over today's user experience.
>>>
>>> <Browser name> cannot open <filtered domain, not clickable> because it
>>> has been filtered by <name of the filtering service, "organization" field>
>>> Blocking reason: <blocking reason, " justification" field>
>>>
>>>
>>>
>> Erm, can't a large amount of this already be accomplished using RFC8914
>> Extended Errors. E.g:
>> https://www.rfc-editor.org/rfc/rfc8914.
>> html#name-extended-dns-error-code-15-
>> —-
>> "4.16. Extended DNS Error Code 15 - Blocked
>> The server is unable to respond to the request because the domain is on a
>> blocklist due to an internal security policy imposed by the operator of the
>> server resolving or forwarding the query.
>>
>> 4.17. Extended DNS Error Code 16 - Censored
>> The server is unable to respond to the request because the domain is on a
>> blocklist due to an external requirement imposed by an entity other than
>> the operator of the server resolving or forwarding the query. Note that how
>> the imposed policy is applied is irrelevant (in-band DNS filtering, court
>> order, etc.).
>>
>> 4.18. Extended DNS Error Code 17 - Filtered
>> The server is unable to respond to the request because the domain is on a
>> blocklist as requested by the client. Functionally, this amounts to "you
>> requested that we filter domains like this one."
>> ---
>>
>> Yes, it doesn't give you the HTML page, but I personally view that as a
>> feature, not a bug.
>> You *know* that if my coffee-shop/hotel/car-dealer has the ability to
>> respond to every N-th DNS query with:
>> "({ "c": [https://subaru.example.com/buy-the-new-outback.html})" or "(({
>> "c": [https://www.example.com/free-donut-with-every-pumpkin-spice-latte
>> .]})"
>> they will.
>>
>> Yes, I shouldn't be trusting my coffee-shop/hotel/car-dealer's resolvers,
>> but with captive-portals and similar many people do…
>>
>>
>> Yeah, the existing error codes are quite good (and iOS and macOS natively
>> support them now!), but having more details would allow this to replace
>> more fully the cases where redirection occurs.
>>
>> I also am concerned about someone just putting advertisements or worse in
>> the contact information, so there should be some control on it.
>>
>
> The above attack and possible mitigation is discussed in the security
> considerations section of the draft, please see the snip below:
> </snip>
>
>    A client might choose to display the information in the "c", "j", and
>    "o" fields if and only if the encrypted resolver has sufficient
>    reputation, according to some local policy (e.g., user configuration,
>    administrative configuration, or a built-in list of respectable
>    resolvers).  This limits the ability of a malicious encrypted
>    resolver to cause harm.  For example, an end user can use the details
>    in the "c" field to contact an attacker to solve the problem of being
>    unable to reach a domain.  The attacker can mislead the end user to
>    install malware or spyware to compromise the device security posture
>    or mislead the end user to reveal personal data.  If the client
>    decides not to display all of the information in the EXTRA-TEXT
>    field, it can be logged for diagnostics purpose and the client can
>    only display the resolver hostname that blocked the domain, error
>    description for the EDE code and the suberror description for the "s"
>    field to the end-user.
>
> </snip>
>
>
> -Tiru
>
>

<no-hat>
Yes, I read that — but I still (personally) think that the risks outweigh
the benefit. Knowing that a site is unreachable because it is "Extended DNS
Error Code 17 - Filtered" seems helpful and safe. Having additional shiny
pages saying "Vodafone Internet Services has protected you from 'Malware'.
Hooray!  Click here [https://www.vodafone.com/blockpage?list=malwarecc] for
more info, and a cute upsell bundle 5G with your DNS Blocking needs"
doesn't.

Note that this is my personal view only — it's possible / likely that the
WG consensus differs from mine.
</no-hats>

W



>
>
>> Tommy
>>
>>
>> W
>>
>>
>>
>> Thank you
>>>
>>> Gianpaolo
>>>
>>> C2 General
>>>
>>> _______________________________________________
>>> DNSOP mailing list
>>> DNSOP@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dnsop
>>>
>>
>>
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
>>
>>
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
>
>

v2.23.0 | Report a Bug | By Email