Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-06.txt
Warren Kumari <warren@kumari.net> Fri, 13 October 2023 20:30 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9F13C14CE24 for <dnsop@ietfa.amsl.com>; Fri, 13 Oct 2023 13:30:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7C8Bi9jCUu40 for <dnsop@ietfa.amsl.com>; Fri, 13 Oct 2023 13:30:48 -0700 (PDT)
Received: from mail-ot1-x32f.google.com (mail-ot1-x32f.google.com [IPv6:2607:f8b0:4864:20::32f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DAA4C1705F8 for <dnsop@ietf.org>; Fri, 13 Oct 2023 13:17:08 -0700 (PDT)
Received: by mail-ot1-x32f.google.com with SMTP id 46e09a7af769-6c4bad60a1aso1556449a34.2 for <dnsop@ietf.org>; Fri, 13 Oct 2023 13:17:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari.net; s=google; t=1697228227; x=1697833027; darn=ietf.org; h=cc:to:subject:message-id:date:references:from:in-reply-to :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=qJ9bqWuhc8vDWene/87rORjgwZ45bbQhPLyb+oMF7Yk=; b=eyjtgXKHh75zLquyylduTmePyenmtU5AsdU9jDged+3eEHSJ2rbeQ4eYm4iblzBNhg DQGqXOJ7boAQhaVmlBPf3XnWNH0nzOOu9A2xOZRBPKt+zsKOUHZdXVG2Ezyb5PZb4yA6 e/XtmV4Q5BFTKtKe5Xqh80bUr7/QKyLkop8xV2U9R+Rcl3gK0OIKSXyc6dwo13ZD7sBU yKUwBr9mz5xlE1cYqcs9ouGkc4TBo12NPqQ0zN4GSTMIsVgbsWv/JFRaxEpcT5NT+ooL Qy0DvLisOcqVPmv5F0/PbpFo822f/tc3g9Z0Yxok2sH68AJHgf1Lsnx+8epET5LSOBQu NZdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697228227; x=1697833027; h=cc:to:subject:message-id:date:references:from:in-reply-to :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=qJ9bqWuhc8vDWene/87rORjgwZ45bbQhPLyb+oMF7Yk=; b=IIo+rdgWaqSh1stK5PfuPiX8IAhg4NDmkHekgPrSkchVGzLzHgV2wHk+4+0Nro00E0 0y+QNE24a5dC7DDD8XQQ99/38GsZSLOMY3UG3i9qFUeIJBc03cFupNDEVemOB8YFx4Sv 1uPAy7eG0PfbQ5k+8rZJV0nFJQAU5sdkpfUEmCgfCxf3vLLu2VvcyBDWMgV8oRFXbxUb 386lEJL/huNAlE7Qa3GeuWH5HaGRxrlCn8j6Yo2jaMbnYPeELtT7no9n1lMOiyGmcZwU eMrFxPgMJFH51MUwtWo+wW1c5EUfcDuBozWKTZfOm58gM7D7PJtG4MdIDo7gHoZchmHS isvQ==
X-Gm-Message-State: AOJu0YzGBMVLR8Fy1EHF7sNHmqiGx9F/HjqbaMl2v42O1NFkXU6UOOw4 3IHXfi9MqWoLh1y0RRS8zBtbJRWh2R5Mheb2w8EYvRCGzisSBslu
X-Google-Smtp-Source: AGHT+IFUiRLinII6EGb/iF93GVrn/Z+H5cNX4Ig1blxzXcdFj34NwUtCG5Pa+syNj4xJn406YnbtWdpRAKD/Gv3Q6kU=
X-Received: by 2002:a9d:6d0d:0:b0:6c4:6aef:cd58 with SMTP id o13-20020a9d6d0d000000b006c46aefcd58mr26949067otp.8.1697228227160; Fri, 13 Oct 2023 13:17:07 -0700 (PDT)
Received: from 649336022844 named unknown by gmailapi.google.com with HTTPREST; Fri, 13 Oct 2023 16:17:06 -0400
Mime-Version: 1.0
X-Mailer: Superhuman Desktop (2023-10-12T21:33:24Z)
X-Superhuman-ID: lnp1uoh7.e5547975-44df-4ce0-8614-05a580bc3738
In-Reply-To: <CAFpG3gcPwjXq7XVjtU1OVvD3Yb4cOnkbgtSDg-FG65iHi5qCAQ@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
X-Superhuman-Draft-ID: draft000122849267a8a7
References: <DB9PR05MB847355CA18F73D1B8F892C15A3CDA@DB9PR05MB8473.eurprd05.prod.outlook.com> <DB9PR05MB84738B9AA9551E7E116AE491A3CDA@DB9PR05MB8473.eurprd05.prod.outlook.com> <CAHw9_i+bJ3-rJD97Rr21RoX_O58hdEz2DUHxgiheYdsxw4rhsw@mail.gmail.com> <B02CC0F1-C264-444B-8B3C-F60B2E4CA293@apple.com> <CAFpG3gcPwjXq7XVjtU1OVvD3Yb4cOnkbgtSDg-FG65iHi5qCAQ@mail.gmail.com>
Date: Fri, 13 Oct 2023 16:17:06 -0400
Message-ID: <CAHw9_iLnWu5i6sM8U5S=i3FwYqUNQbk7MC7FL2HLEhM_LMuY1w@mail.gmail.com>
To: tirumal reddy <kondtir@gmail.com>
Cc: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>, Vodafone Gianpaolo Angelo Scalone <Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org>, DNSOP WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000954b6606079ebd0c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/FmdvLX1733vHDzf-AKR-oeST_jc>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-06.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Oct 2023 20:30:52 -0000
On Fri, Oct 13, 2023 at 4:05 AM, tirumal reddy <kondtir@gmail.com> wrote: > On Thu, 12 Oct 2023 at 21:37, Tommy Pauly <tpauly=40apple.com@dmarc.ietf. > org> wrote: > >> >> >> On Oct 11, 2023, at 3:17 PM, Warren Kumari <warren@kumari.net> wrote: >> >> >> >> >> >> On Tue, Oct 10, 2023 at 12:56 PM, Vodafone Gianpaolo Angelo Scalone < >> Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org> wrote: >> >>> I really love this draft and would like to see browser side >>> implementation for the benefit of customers user experience. Today several >>> services are implemented on top of DNS to filter malicious or unwanted >>> traffic in an effective way, but customers cannot distinguish the blocking >>> from a network error. This led to frustration or even worst put them in >>> danger: a quick solution to the "network error" is to disable the >>> protection and so be infected, or change browser. The server side >>> implementation provides all the needed information to build a great user >>> experience: in the example below I see at least 2 options >>> >>> ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24987 flags: qr rd ra; >>> QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 OPT PSEUDOSECTION: EDNS: >>> version: 0, flags:; udp: 512 >>> EDE: 17 (Filtered): ({ "c": [https://blocking.vodafone.com/ >>> blockpage?list=malwarecc], "s": 1,"j": "Malware C&C", "o": "Vodafone >>> Internet Services" }) QUESTION SECTION: malw.scalone.eu. IN A >>> >>> Option 1 - better user experience, some complexity to avoid security >>> risks >>> >>> if the contact URI is trusted it is possible to present in the GUI a >>> real blocking page. The problem is that untrusted providers could use this >>> method as an attack vector. Potential solutions could be: >>> Browsers accept Exte4nded DNS Errors only from DoH servers. URI domain >>> has to be covered by DoH server certificate. There could potentially be a >>> vetting process e.g. through IANA, whereby filtering providers would need >>> to register. Only registered and approved providers would then be permitted >>> to use this method >>> >>> Option 2 - Sub-optimal user experience; however, a significant >>> improvement over today's user experience. >>> >>> <Browser name> cannot open <filtered domain, not clickable> because it >>> has been filtered by <name of the filtering service, "organization" field> >>> Blocking reason: <blocking reason, " justification" field> >>> >>> >>> >> Erm, can't a large amount of this already be accomplished using RFC8914 >> Extended Errors. E.g: >> https://www.rfc-editor.org/rfc/rfc8914. >> html#name-extended-dns-error-code-15- >> —- >> "4.16. Extended DNS Error Code 15 - Blocked >> The server is unable to respond to the request because the domain is on a >> blocklist due to an internal security policy imposed by the operator of the >> server resolving or forwarding the query. >> >> 4.17. Extended DNS Error Code 16 - Censored >> The server is unable to respond to the request because the domain is on a >> blocklist due to an external requirement imposed by an entity other than >> the operator of the server resolving or forwarding the query. Note that how >> the imposed policy is applied is irrelevant (in-band DNS filtering, court >> order, etc.). >> >> 4.18. Extended DNS Error Code 17 - Filtered >> The server is unable to respond to the request because the domain is on a >> blocklist as requested by the client. Functionally, this amounts to "you >> requested that we filter domains like this one." >> --- >> >> Yes, it doesn't give you the HTML page, but I personally view that as a >> feature, not a bug. >> You *know* that if my coffee-shop/hotel/car-dealer has the ability to >> respond to every N-th DNS query with: >> "({ "c": [https://subaru.example.com/buy-the-new-outback.html})" or "(({ >> "c": [https://www.example.com/free-donut-with-every-pumpkin-spice-latte >> .]})" >> they will. >> >> Yes, I shouldn't be trusting my coffee-shop/hotel/car-dealer's resolvers, >> but with captive-portals and similar many people do… >> >> >> Yeah, the existing error codes are quite good (and iOS and macOS natively >> support them now!), but having more details would allow this to replace >> more fully the cases where redirection occurs. >> >> I also am concerned about someone just putting advertisements or worse in >> the contact information, so there should be some control on it. >> > > The above attack and possible mitigation is discussed in the security > considerations section of the draft, please see the snip below: > </snip> > > A client might choose to display the information in the "c", "j", and > "o" fields if and only if the encrypted resolver has sufficient > reputation, according to some local policy (e.g., user configuration, > administrative configuration, or a built-in list of respectable > resolvers). This limits the ability of a malicious encrypted > resolver to cause harm. For example, an end user can use the details > in the "c" field to contact an attacker to solve the problem of being > unable to reach a domain. The attacker can mislead the end user to > install malware or spyware to compromise the device security posture > or mislead the end user to reveal personal data. If the client > decides not to display all of the information in the EXTRA-TEXT > field, it can be logged for diagnostics purpose and the client can > only display the resolver hostname that blocked the domain, error > description for the EDE code and the suberror description for the "s" > field to the end-user. > > </snip> > > > -Tiru > > <no-hat> Yes, I read that — but I still (personally) think that the risks outweigh the benefit. Knowing that a site is unreachable because it is "Extended DNS Error Code 17 - Filtered" seems helpful and safe. Having additional shiny pages saying "Vodafone Internet Services has protected you from 'Malware'. Hooray! Click here [https://www.vodafone.com/blockpage?list=malwarecc] for more info, and a cute upsell bundle 5G with your DNS Blocking needs" doesn't. Note that this is my personal view only — it's possible / likely that the WG consensus differs from mine. </no-hats> W > > >> Tommy >> >> >> W >> >> >> >> Thank you >>> >>> Gianpaolo >>> >>> C2 General >>> >>> _______________________________________________ >>> DNSOP mailing list >>> DNSOP@ietf.org >>> https://www.ietf.org/mailman/listinfo/dnsop >>> >> >> >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop >> >> >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop > >
- [DNSOP] I-D Action: draft-ietf-dnsop-structured-d… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Gianpaolo Angelo Scalone, Vodafone
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Tommy Pauly
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Warren Kumari
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Gianpaolo Angelo Scalone, Vodafone
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… tirumal reddy
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Tommy Pauly
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Eric Orth
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Ralf Weber
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… tirumal reddy
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Warren Kumari
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Peter Thomassen
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Peter Thomassen
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Ralf Weber
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Gianpaolo Angelo Scalone, Vodafone
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Warren Kumari
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Tommy Pauly
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… tirumal reddy
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Ben Schwartz
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Dan Wing
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… tirumal reddy