IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-06.txt

tirumal reddy <kondtir@gmail.com> Thu, 12 October 2023 12:28 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C424C14CEFA for <dnsop@ietfa.amsl.com>; Thu, 12 Oct 2023 05:28:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u_tI9lIaz9SF for <dnsop@ietfa.amsl.com>; Thu, 12 Oct 2023 05:28:32 -0700 (PDT)
Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7826EC15108E for <dnsop@ietf.org>; Thu, 12 Oct 2023 05:27:56 -0700 (PDT)
Received: by mail-lj1-x230.google.com with SMTP id 38308e7fff4ca-2c277f6f24eso2038781fa.0 for <dnsop@ietf.org>; Thu, 12 Oct 2023 05:27:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697113674; x=1697718474; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=/B/LkqV8ftUr36n+VvlqcRuGKAuJD1sLBtW6egNmTbU=; b=I0ts7Z7WpfMUpP4vzI2p1auXVA4Z0p/HtBOVjK33hHAi65mV7DLK1iVDaUbKapKCcG kS/r4eJsrGI20WpTBzx5+Hj/7EtegMb92+XlV5sZPZbBVwImag4W+YGfNy/i+Dfb0mUJ Vgdtp08DD9mPts2rOefiKnLtICjerQOkElh7zH/JPHSlv2IAHxbFn3rQZQesmvJ2jwn0 MbQq2o00DAOahqB19alzVTDbUWZlRkU5pTMyxuCkRjesj8RYXy8j7AvdZsFqF0ZedsO3 scr0qwHAUs2ZQH8Yb6K2V5aiik2irhpHS6V518yyRPlIqkh2sl11kv8cv0FdiHdD7RFg cyjw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697113674; x=1697718474; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=/B/LkqV8ftUr36n+VvlqcRuGKAuJD1sLBtW6egNmTbU=; b=LWXtB5Xp/PeZTVIUUxuvcZbLWd+6jn4KujN5SIHzuFfEkS0+5C38IC6lEQuyzxXsgR ilNTFo02TNHE1UiveWsVVZEDKcl96LejzcBse6Teao5Rx5Dg1ZZSEouZla8k8qBQuAr/ AyEU4mrX3+5xVQBd1aj1bj6A/M4luf3UWt3g3ztZDD3Vs8k2IHm2Kz2uM5CnNaaJR56B OgmOZsjRsJFSCCKEUzr0SMpbbVLtWhbkX2SZiOX0vVUeYomKbfgMb4nFkT0Uc8uep7tR 2Ak4MC5kYT2JaZBlpZhHqpUJ3PIeGL4D/gqatd/+AFoGpjwBoEWw9C3FMQUjxXw5HW6L oilQ==
X-Gm-Message-State: AOJu0YyIVGVCvrvET+5RLWbxzvcfEug9p2vOHg/4cYbY4PfJgyxjufQq /3rY2rhxuJB3IbfIkizgO5YmQRgapBscF4DJ7nzfCqlV
X-Google-Smtp-Source: AGHT+IF6ALcrDFDrPwSgJvJYNkdgviQFE1eGBWSzp9ECf2FIRoemfpryJCtWU+ekzGCovhswJJPSBa59gs4khzsHXQQ=
X-Received: by 2002:a2e:5011:0:b0:2bf:fac2:d06c with SMTP id e17-20020a2e5011000000b002bffac2d06cmr15467376ljb.4.1697113673815; Thu, 12 Oct 2023 05:27:53 -0700 (PDT)
MIME-Version: 1.0
References: <DB9PR05MB847355CA18F73D1B8F892C15A3CDA@DB9PR05MB8473.eurprd05.prod.outlook.com> <DB9PR05MB84738B9AA9551E7E116AE491A3CDA@DB9PR05MB8473.eurprd05.prod.outlook.com>
In-Reply-To: <DB9PR05MB84738B9AA9551E7E116AE491A3CDA@DB9PR05MB8473.eurprd05.prod.outlook.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Thu, 12 Oct 2023 17:57:42 +0530
Message-ID: <CAFpG3geA9zj0H4UOy8++G44kUy9g13bqOQ9VoNU_0EcpVzQe+A@mail.gmail.com>
To: "Gianpaolo Angelo Scalone, Vodafone" <Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000abdd770607841163"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/swQIZcNXPfVD2KhgYm0sotjF0pM>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-06.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Oct 2023 12:28:36 -0000

On Tue, 10 Oct 2023 at 22:27, Gianpaolo Angelo Scalone, Vodafone
<Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org> wrote:

>
> I really love this draft and would like to see browser side implementation
> for the benefit of customers user experience.
> Today several services are implemented on top of DNS to filter malicious
> or unwanted traffic in an effective way, but customers cannot distinguish
> the blocking from a network error.
> This led to frustration or even worst put them in danger: a quick solution
> to the "network error" is to disable the protection and so be infected, or
> change browser.
> The server side implementation provides all the needed information to
> build a great user experience: in the example below I see at least 2 options
>
> ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24987
> flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 OPT
> PSEUDOSECTION:
> EDNS: version: 0, flags:; udp: 512
> EDE: 17 (Filtered): ({ "c": [
> https://blocking.vodafone.com/blockpage?list=malwarecc], "s": 1,"j":
> "Malware C&C", "o": "Vodafone Internet Services" }) QUESTION SECTION:
> malw.scalone.eu.                IN      A
>
> Option 1 - better user experience, some complexity to avoid security risks
>
> if the contact URI is trusted it is possible to present in the GUI a real
> blocking page.
> The problem is that untrusted providers could use this method as an attack
> vector.
> Potential solutions could be:
> Browsers accept Exte4nded DNS Errors only from DoH servers.
> URI domain has to be covered by DoH server certificate.
> There could potentially be a vetting process e.g. through IANA, whereby
> filtering providers would need to register. Only registered and approved
> providers would then be permitted to use this method
>

This above attack is discussed in detail in the security consideration
section including the possible mitigations.


>
> Option 2 - Sub-optimal user experience; however, a significant improvement
> over today's user experience.
>
> <Browser name> cannot open <filtered domain, not clickable> because it has
> been filtered by <name of the filtering service, "organization" field>
> Blocking reason: <blocking reason, " justification" field>
>

Fallback to Option 2 is also discussed in the same section.

Cheers,
-Tiru


>
> Thank you
>
> Gianpaolo
>
> C2 General
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email