Re: [DNSOP] DNSOP: question about hardening "something like mDNS" against attacks

Ted Lemon <> Mon, 26 October 2020 17:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E7AB83A0D73 for <>; Mon, 26 Oct 2020 10:05:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.885
X-Spam-Status: No, score=-1.885 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, NO_DNS_FOR_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id s-szqPp4r-nd for <>; Mon, 26 Oct 2020 10:05:45 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::72d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 300BF3A0D72 for <>; Mon, 26 Oct 2020 10:05:44 -0700 (PDT)
Received: by with SMTP id x20so9035988qkn.1 for <>; Mon, 26 Oct 2020 10:05:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=XyyGz7aye33gE+FSNkkdUqQcrsbicYaEx2vWfArCTt0=; b=UIpS8vCj3YtkHlUBYe60xvgiXDKtBpJgnEp9p7Xxe8u5tixnRniX8M3U395+95W/WX yR7ivf1BvuuUA8Npd7L2fdC6QiPC76hv314aUfhXRbfUc8nUN6xATWqt7VTm2nGmWXkY z3t1fZawHxexquDKWf4T/kN+wb+eEoHkI7kxrXdnrtLytnonhV6XVhd9RvWLCp2C4BE0 ojj3CTytVmp71xHPG3egGA/BN+K+dDRQV8dFBgkscmUxTHw9yFWktBLiLQvKqWEOWKyN vFz7aHFtaiorcpxWReU5jXViMrFtfVUWP7C17bKn1SEq5Brek2oLTqOuEUggu0V754gl dVUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=XyyGz7aye33gE+FSNkkdUqQcrsbicYaEx2vWfArCTt0=; b=m3AEOa/b+n0FBTuV6TIhRjfQ084S/Snhs14hKyBnImuubipuoJPGPMOpy0ZuQKj2xB 6yu3/4+RftRMneqvH1GOshyJAaQets6QYOpbPGUYydfSOZil+5Ul014Xu8hMFq8NMkdr BRs0ArB+XllAdOO+9X7Per2JNeRiklxF3iNeQzyET4mPDqGIyJsGw2H6Lc1BAl6CrEhT 51GPvQasIQopYa7k7jlLOk86E+GhWW/pLC0jtO2C+DPvcK91f4Li2oTMz6lXzHmdVLev mUH4RF2CLF5gyb8CuQa3UYKKSIo/rog5Kq9Y/MzdlAoRbF1vZ9XbmeoEB8nhyoKGItoO KfJQ==
X-Gm-Message-State: AOAM531FkRntrnpjn38I+A7Z1xmrnE7nXFbq2DDj2y3L8RkQXlIjCoJS mSekr2RZob+K2E737SF3wZBTxg==
X-Google-Smtp-Source: ABdhPJxosqp2q9oPcGuEj2QJ0WgrhkQcJWuaQ3bhSIa8btaa4xKm2E0XmWVcBsquuL8S0hivUm6RCg==
X-Received: by 2002:a05:620a:657:: with SMTP id a23mr16752501qka.121.1603731943943; Mon, 26 Oct 2020 10:05:43 -0700 (PDT)
Received: from mithrandir.lan ( []) by with ESMTPSA id a128sm6762336qkc.92.2020. (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Oct 2020 10:05:43 -0700 (PDT)
From: Ted Lemon <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_9FF7E2EF-3067-4CBD-B245-904189788FE5"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.\))
Date: Mon, 26 Oct 2020 13:05:42 -0400
In-Reply-To: <>
To: Toerless Eckert <>
References: <> <> <>
X-Mailer: Apple Mail (2.3654.
Archived-At: <>
Subject: Re: [DNSOP] DNSOP: question about hardening "something like mDNS" against attacks
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 26 Oct 2020 17:05:48 -0000

On Oct 26, 2020, at 12:59 PM, Toerless Eckert <> wrote:
> The networks where i am worried are not home networks,
> but something like an office park network, where supposedly each
> tenant (company) should have gotten their disjoint L2 domains, ... and then
> they didn't. And one of the tenants has a "funny" network engineer/hacker.

That’s pretty clearly the thing to fix.
> So, eliminate for your assessment the option of better
> protocols. Now, why would this heuristic then still be
> "very bad" ? To me it just eliminates the benefits of
> dynamic port signaling when there is an attack. And has no
> impact under no attack.

If you’re going to do that, you might as well just turn off mDNS entirely.

I don’t know whether or not this would also be true of GRASP, however.