IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-06.txt

tirumal reddy <kondtir@gmail.com> Fri, 13 October 2023 08:06 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D09F8C14CF1B for <dnsop@ietfa.amsl.com>; Fri, 13 Oct 2023 01:06:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2t5X08raP7n7 for <dnsop@ietfa.amsl.com>; Fri, 13 Oct 2023 01:06:04 -0700 (PDT)
Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E2FDC14F748 for <dnsop@ietf.org>; Fri, 13 Oct 2023 01:06:04 -0700 (PDT)
Received: by mail-lj1-x236.google.com with SMTP id 38308e7fff4ca-2bbbe81185dso3572911fa.0 for <dnsop@ietf.org>; Fri, 13 Oct 2023 01:06:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697184362; x=1697789162; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=AfJ2HfzEpP+ov0Kea2+wsqeUEmRJgsDLx+VjqngGfZg=; b=aPZ2HOEgDDY9ekS9T3Z5j0m+bu9w+snN9kcw192S0h5ExNxBhNh9CYThgwlcAchNXM JT3d191DeTyNIewPDftRoAdoBj1kgaMORHkwjkQti4rzggvXu+0q9lfUVQRoNEbhZfT2 y4HwcbYQjmKYODSAgyxHR6oZJC3/PdqyJPfY9HJ3QN6FfV8+dLEmuqSJQmkQ0txUlDUv PH86Ar12CkG0kC1ns0ytB0UA8adH4pCXwJ2LXDKpxfWW11bphY7MTfqnjfSroiO4JI5r 9S2QvC9mI/nh41xyfNubDkfl1Xrq8YX0KJ6GdOUqnCswTxs+YpeEJoMEXgUfDkGsqB1r RK3g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697184362; x=1697789162; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=AfJ2HfzEpP+ov0Kea2+wsqeUEmRJgsDLx+VjqngGfZg=; b=gwZRAwt0etVbKbZc6m5EGo7CdmcGXkKP/fbQSRSOQnVy8UUKKMTCKFFdzUvX5vKTT2 drrM8NOm3umHw4A+iTqFxehjWNgvjYaQpkGQhmqthb41wl+FzWtjqO1N7F1G7yCJPXUT 1ZX9gcWWys5PqO85pJlQgzHrdEXnIvbpXHFMk97rteeUrKU9H4b+8sYL7HLWO6KdZnU3 36ED50uyiaxFmuy+HRnV6aBw//RG27HuVVCD0beWoqWIj1xjxhMOwC3u8Iu9xYJxjBy4 jcX45kMWgm3nI5tlEet10b5xzLqiqdsDonvESK/3tas99KycG9DwcDcfJXrhVCvxeE6U qiXw==
X-Gm-Message-State: AOJu0YzKmYyMNzV9xFBq+nWHLfbB1KWJBNxvudb00ldFVxrKWN1VRFCz aRp54kSgpPLNFftGal8ze73D0cDNi7SDTQnUuS1cNmrWgFU=
X-Google-Smtp-Source: AGHT+IF0quh1RT4LHrVBTGkKk1pBhtF+kS52uFoR7U0rH0qZSjnypzc8taowIX6a0t2+8b9k0a33VJgeTuSfowLKbE8=
X-Received: by 2002:a05:651c:202:b0:2c0:7d6:1349 with SMTP id y2-20020a05651c020200b002c007d61349mr19314179ljn.0.1697184362113; Fri, 13 Oct 2023 01:06:02 -0700 (PDT)
MIME-Version: 1.0
References: <DB9PR05MB847355CA18F73D1B8F892C15A3CDA@DB9PR05MB8473.eurprd05.prod.outlook.com> <DB9PR05MB84738B9AA9551E7E116AE491A3CDA@DB9PR05MB8473.eurprd05.prod.outlook.com> <CAHw9_i+bJ3-rJD97Rr21RoX_O58hdEz2DUHxgiheYdsxw4rhsw@mail.gmail.com> <B02CC0F1-C264-444B-8B3C-F60B2E4CA293@apple.com>
In-Reply-To: <B02CC0F1-C264-444B-8B3C-F60B2E4CA293@apple.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Fri, 13 Oct 2023 13:35:50 +0530
Message-ID: <CAFpG3gcPwjXq7XVjtU1OVvD3Yb4cOnkbgtSDg-FG65iHi5qCAQ@mail.gmail.com>
To: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>
Cc: Warren Kumari <warren@kumari.net>, Vodafone Gianpaolo Angelo Scalone <Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org>, DNSOP WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000005ae2f06079487de"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/OPtHW8c-zPvhrmJPmmr7dOZ7ySg>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-06.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Oct 2023 08:06:08 -0000

On Thu, 12 Oct 2023 at 21:37, Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>
wrote:

>
>
> On Oct 11, 2023, at 3:17 PM, Warren Kumari <warren@kumari.net> wrote:
>
>
>
>
>
> On Tue, Oct 10, 2023 at 12:56 PM, Vodafone Gianpaolo Angelo Scalone <
> Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org> wrote:
>
>> I really love this draft and would like to see browser side
>> implementation for the benefit of customers user experience. Today several
>> services are implemented on top of DNS to filter malicious or unwanted
>> traffic in an effective way, but customers cannot distinguish the blocking
>> from a network error. This led to frustration or even worst put them in
>> danger: a quick solution to the "network error" is to disable the
>> protection and so be infected, or change browser. The server side
>> implementation provides all the needed information to build a great user
>> experience: in the example below I see at least 2 options
>>
>> ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24987 flags: qr rd ra;
>> QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 OPT PSEUDOSECTION: EDNS:
>> version: 0, flags:; udp: 512
>> EDE: 17 (Filtered): ({ "c": [
>> https://blocking.vodafone.com/blockpage?list=malwarecc], "s": 1,"j":
>> "Malware C&C", "o": "Vodafone Internet Services" }) QUESTION SECTION:
>> malw.scalone.eu. IN A
>>
>> Option 1 - better user experience, some complexity to avoid security risks
>>
>> if the contact URI is trusted it is possible to present in the GUI a real
>> blocking page. The problem is that untrusted providers could use this
>> method as an attack vector. Potential solutions could be:
>> Browsers accept Exte4nded DNS Errors only from DoH servers. URI domain
>> has to be covered by DoH server certificate. There could potentially be a
>> vetting process e.g. through IANA, whereby filtering providers would need
>> to register. Only registered and approved providers would then be permitted
>> to use this method
>>
>> Option 2 - Sub-optimal user experience; however, a significant
>> improvement over today's user experience.
>>
>> <Browser name> cannot open <filtered domain, not clickable> because it
>> has been filtered by <name of the filtering service, "organization" field>
>> Blocking reason: <blocking reason, " justification" field>
>>
>>
>>
> Erm, can't a large amount of this already be accomplished using RFC8914
> Extended Errors. E.g:
>
> https://www.rfc-editor.org/rfc/rfc8914.html#name-extended-dns-error-code-15-
> —-
> "4.16. Extended DNS Error Code 15 - Blocked
> The server is unable to respond to the request because the domain is on a
> blocklist due to an internal security policy imposed by the operator of the
> server resolving or forwarding the query.
>
> 4.17. Extended DNS Error Code 16 - Censored
> The server is unable to respond to the request because the domain is on a
> blocklist due to an external requirement imposed by an entity other than
> the operator of the server resolving or forwarding the query. Note that how
> the imposed policy is applied is irrelevant (in-band DNS filtering, court
> order, etc.).
>
> 4.18. Extended DNS Error Code 17 - Filtered
> The server is unable to respond to the request because the domain is on a
> blocklist as requested by the client. Functionally, this amounts to "you
> requested that we filter domains like this one."
> ---
>
> Yes, it doesn't give you the HTML page, but I personally view that as a
> feature, not a bug.
> You *know* that if my coffee-shop/hotel/car-dealer has the ability to
> respond to every N-th DNS query with:
> "({ "c": [https://subaru.example.com/buy-the-new-outback.html})" or "(({
> "c": [https://www.example.com/free-donut-with-every-pumpkin-spice-latte
> .]})"
> they will.
>
> Yes, I shouldn't be trusting my coffee-shop/hotel/car-dealer's resolvers,
> but with captive-portals and similar many people do…
>
>
> Yeah, the existing error codes are quite good (and iOS and macOS natively
> support them now!), but having more details would allow this to replace
> more fully the cases where redirection occurs.
>
> I also am concerned about someone just putting advertisements or worse in
> the contact information, so there should be some control on it.
>

The above attack and possible mitigation is discussed in the security
considerations section of the draft, please see the snip below:
</snip>

   A client might choose to display the information in the "c", "j", and
   "o" fields if and only if the encrypted resolver has sufficient
   reputation, according to some local policy (e.g., user configuration,
   administrative configuration, or a built-in list of respectable
   resolvers).  This limits the ability of a malicious encrypted
   resolver to cause harm.  For example, an end user can use the details
   in the "c" field to contact an attacker to solve the problem of being
   unable to reach a domain.  The attacker can mislead the end user to
   install malware or spyware to compromise the device security posture
   or mislead the end user to reveal personal data.  If the client
   decides not to display all of the information in the EXTRA-TEXT
   field, it can be logged for diagnostics purpose and the client can
   only display the resolver hostname that blocked the domain, error
   description for the EDE code and the suberror description for the "s"
   field to the end-user.

</snip>


-Tiru




> Tommy
>
>
> W
>
>
>
> Thank you
>>
>> Gianpaolo
>>
>> C2 General
>>
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
>>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email