IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-06.txt

Tommy Pauly <tpauly@apple.com> Thu, 12 October 2023 16:07 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78D90C1705F8 for <dnsop@ietfa.amsl.com>; Thu, 12 Oct 2023 09:07:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g6refed5UoYY for <dnsop@ietfa.amsl.com>; Thu, 12 Oct 2023 09:07:03 -0700 (PDT)
Received: from rn-mailsvcp-mx-lapp03.apple.com (rn-mailsvcp-mx-lapp03.apple.com [17.179.253.24]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7757CC151710 for <dnsop@ietf.org>; Thu, 12 Oct 2023 09:07:03 -0700 (PDT)
Received: from rn-mailsvcp-mta-lapp01.rno.apple.com (rn-mailsvcp-mta-lapp01.rno.apple.com [10.225.203.149]) by rn-mailsvcp-mx-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.23.20230328 64bit (built Mar 28 2023)) with ESMTPS id <0S2F00OM3BFCRD10@rn-mailsvcp-mx-lapp03.rno.apple.com> for dnsop@ietf.org; Thu, 12 Oct 2023 09:07:03 -0700 (PDT)
X-Proofpoint-ORIG-GUID: 5FpYEImf-ce8MjsmMmSMy_oaZmZA36nv
X-Proofpoint-GUID: 5FpYEImf-ce8MjsmMmSMy_oaZmZA36nv
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.619, 18.0.980 definitions=2023-10-12_05:2023-10-12, 2023-10-12 signatures=0
X-Proofpoint-Spam-Details: rule=interactive_user_notspam policy=interactive_user score=0 spamscore=0 phishscore=0 mlxscore=0 mlxlogscore=999 malwarescore=0 bulkscore=0 suspectscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2309180000 definitions=main-2310120133
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=x9J8a2Pt8ilnibTjnaz0YWZnhDci5WVxeZOahS3SMV0=; b=irQg8TFvFjah5dv0445Vtj9rbYOino55b+bTjOiCnsR6g79pdOwVT5YhcO7u0hyh8JN9 f8sYgewFyWWulORh0e+43Cq5+dcz3Ca8kueh2WGBBhyaq9OD3Za03d8LQBM1Mz0qlzsI OOBxn5wDFDv+vrqlxtWRChpzjBXOSb58t3GZ4/4q089OBDSEXxib1HcXvWduxT/MDmPm Gere1U4oF7JD8gjv/8T0o1j0t7gU+76oQ849dkwylWfNxHrVwc8BTPmGYHzL8/Zzhk6D qiE6qvjoS+vCacJBUblcuCJdmE+pu8bEP+2cdh6IrkZCUilfOh7ZuWc8Kb3ERF280E6o TA==
Received: from rn-mailsvcp-mmp-lapp02.rno.apple.com (rn-mailsvcp-mmp-lapp02.rno.apple.com [17.179.253.15]) by rn-mailsvcp-mta-lapp01.rno.apple.com (Oracle Communications Messaging Server 8.1.0.23.20230328 64bit (built Mar 28 2023)) with ESMTPS id <0S2F00F3UBFDZJF0@rn-mailsvcp-mta-lapp01.rno.apple.com>; Thu, 12 Oct 2023 09:06:49 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp02.rno.apple.com by rn-mailsvcp-mmp-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.23.20230328 64bit (built Mar 28 2023)) id <0S2F00R00B61UR00@rn-mailsvcp-mmp-lapp02.rno.apple.com>; Thu, 12 Oct 2023 09:06:49 -0700 (PDT)
X-Va-A:
X-Va-T-CD: 3384e254f63dded59831a4cd87cd53a8
X-Va-E-CD: cbff9c2e43273ecc0451136f31de3a75
X-Va-R-CD: 88cbf2b5c89a581a0140b73c80819b04
X-Va-ID: 7f057389-4c6c-406b-a3d3-97fac037c7a4
X-Va-CD: 0
X-V-A:
X-V-T-CD: 3384e254f63dded59831a4cd87cd53a8
X-V-E-CD: cbff9c2e43273ecc0451136f31de3a75
X-V-R-CD: 88cbf2b5c89a581a0140b73c80819b04
X-V-ID: 81473b3c-ecd5-4acf-927a-e8304757d451
X-V-CD: 0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.619, 18.0.980 definitions=2023-10-12_05:2023-10-12, 2023-10-12 signatures=0
Received: from smtpclient.apple ([17.230.163.195]) by rn-mailsvcp-mmp-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.23.20230328 64bit (built Mar 28 2023)) with ESMTPSA id <0S2F00UIFBFAOY00@rn-mailsvcp-mmp-lapp02.rno.apple.com>; Thu, 12 Oct 2023 09:06:46 -0700 (PDT)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <B02CC0F1-C264-444B-8B3C-F60B2E4CA293@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_7E25C1BF-F749-403E-89A7-560DBF2A2F41"
MIME-version: 1.0 (Mac OS X Mail 16.0 \(3774.100.2.1.4\))
Date: Thu, 12 Oct 2023 09:06:35 -0700
In-reply-to: <CAHw9_i+bJ3-rJD97Rr21RoX_O58hdEz2DUHxgiheYdsxw4rhsw@mail.gmail.com>
Cc: Vodafone Gianpaolo Angelo Scalone <Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org>, DNSOP WG <dnsop@ietf.org>
To: Warren Kumari <warren@kumari.net>
References: <DB9PR05MB847355CA18F73D1B8F892C15A3CDA@DB9PR05MB8473.eurprd05.prod.outlook.com> <DB9PR05MB84738B9AA9551E7E116AE491A3CDA@DB9PR05MB8473.eurprd05.prod.outlook.com> <CAHw9_i+bJ3-rJD97Rr21RoX_O58hdEz2DUHxgiheYdsxw4rhsw@mail.gmail.com>
X-Mailer: Apple Mail (2.3774.100.2.1.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/naLhBJ_VcX5tGq5F3WxYXGI4QvA>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-06.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Oct 2023 16:07:08 -0000


> On Oct 11, 2023, at 3:17 PM, Warren Kumari <warren@kumari.net> wrote:
> 
> 
> 
> 
> 
> On Tue, Oct 10, 2023 at 12:56 PM, Vodafone Gianpaolo Angelo Scalone <Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org <mailto:Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org>> wrote:
>> I really love this draft and would like to see browser side implementation for the benefit of customers user experience. Today several services are implemented on top of DNS to filter malicious or unwanted traffic in an effective way, but customers cannot distinguish the blocking from a network error. This led to frustration or even worst put them in danger: a quick solution to the "network error" is to disable the protection and so be infected, or change browser. The server side implementation provides all the needed information to build a great user experience: in the example below I see at least 2 options
>> 
>> ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24987 flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 OPT PSEUDOSECTION: EDNS: version: 0, flags:; udp: 512
>> EDE: 17 (Filtered): ({ "c": [https://blocking.vodafone.com/blockpage?list=malwarecc], "s": 1,"j": "Malware C&C", "o": "Vodafone Internet Services" }) QUESTION SECTION: malw.scalone.eu <http://malw.scalone.eu/>. IN A
>> 
>> Option 1 - better user experience, some complexity to avoid security risks
>> 
>> if the contact URI is trusted it is possible to present in the GUI a real blocking page. The problem is that untrusted providers could use this method as an attack vector. Potential solutions could be:
>> Browsers accept Exte4nded DNS Errors only from DoH servers. URI domain has to be covered by DoH server certificate. There could potentially be a vetting process e.g. through IANA, whereby filtering providers would need to register. Only registered and approved providers would then be permitted to use this method
>> 
>> Option 2 - Sub-optimal user experience; however, a significant improvement over today's user experience. 
>> 
>> <Browser name> cannot open <filtered domain, not clickable> because it has been filtered by <name of the filtering service, "organization" field> Blocking reason: <blocking reason, " justification" field>
>> 
>> 
>> 
> 
> 
> Erm, can't a large amount of this already be accomplished using RFC8914 Extended Errors. E.g:
> https://www.rfc-editor.org/rfc/rfc8914.html#name-extended-dns-error-code-15-
> —-
> "4.16. Extended DNS Error Code 15 - Blocked
> The server is unable to respond to the request because the domain is on a blocklist due to an internal security policy imposed by the operator of the server resolving or forwarding the query.
> 
> 4.17. Extended DNS Error Code 16 - Censored
> The server is unable to respond to the request because the domain is on a blocklist due to an external requirement imposed by an entity other than the operator of the server resolving or forwarding the query. Note that how the imposed policy is applied is irrelevant (in-band DNS filtering, court order, etc.).
> 
> 4.18. Extended DNS Error Code 17 - Filtered
> The server is unable to respond to the request because the domain is on a blocklist as requested by the client. Functionally, this amounts to "you requested that we filter domains like this one."
> --- 
> 
> Yes, it doesn't give you the HTML page, but I personally view that as a feature, not a bug.
> You *know* that if my coffee-shop/hotel/car-dealer has the ability to respond to every N-th DNS query with:
> "({ "c": [https://subaru.example.com/buy-the-new-outback.html})" or "(({ "c": [https://www.example.com/free-donut-with-every-pumpkin-spice-latte.]})"
> they will.
> 
> Yes, I shouldn't be trusting my coffee-shop/hotel/car-dealer's resolvers, but with captive-portals and similar many people do…

Yeah, the existing error codes are quite good (and iOS and macOS natively support them now!), but having more details would allow this to replace more fully the cases where redirection occurs.

I also am concerned about someone just putting advertisements or worse in the contact information, so there should be some control on it.

Tommy

> 
> W
> 
> 
> 
>> Thank you
>> 
>> Gianpaolo
>> 
>> C2 General
>> 
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org <mailto:DNSOP@ietf.org>
>> https://www.ietf.org/mailman/listinfo/dnsop
>> 
> 
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org <mailto:DNSOP@ietf.org>
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email