IETF Logo Mail Archive

Re: [Doh] [Ext] Reviewing Resolver-Associated DOH

nusenu <nusenu-lists@riseup.net> Sat, 16 March 2019 20:58 UTC

Return-Path: <nusenu-lists@riseup.net>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B32E130DC0 for <doh@ietfa.amsl.com>; Sat, 16 Mar 2019 13:58:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=riseup.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lqKIZXWvuQYo for <doh@ietfa.amsl.com>; Sat, 16 Mar 2019 13:58:47 -0700 (PDT)
Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A3771279A1 for <doh@ietf.org>; Sat, 16 Mar 2019 13:58:47 -0700 (PDT)
Received: from capuchin.riseup.net (capuchin-pn.riseup.net [10.0.1.176]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.riseup.net (Postfix) with ESMTPS id 4971E1A1CDD for <doh@ietf.org>; Sat, 16 Mar 2019 13:58:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1552769926; bh=YQ1ug4avFTXJaGBimVPTm26Tfwpsi3opMf+rmFJWHoQ=; h=To:References:From:Subject:Date:In-Reply-To:From; b=epbS+/Lt2uLSzB9WMpX5Mylu2rrJFWUqQYgF4INLrD/lYsWtrdaZIitFhFL41cmz1 dtjOG03YDyOOConNnha7tOeB+QXK3y1pRp5r5PpO95SKL3rE6KmPjxOlldR0wzxhLf BqgtnqyLS8T2EZ0izMCX9pv79EZ72hPce+86atzY=
X-Riseup-User-ID: 378517D4322023B9C8CCADF21070E72021BDC2074EC48A68630EAFE79F8B2E77
Received: from [127.0.0.1] (localhost [127.0.0.1]) by capuchin.riseup.net (Postfix) with ESMTPSA id 2E1D31207E3 for <doh@ietf.org>; Sat, 16 Mar 2019 13:58:44 -0700 (PDT)
To: doh@ietf.org
References: <CAHbrMsCNyeabhk0sVexOHVedVkgG2dvV9T8wWL++om5juAUvEw@mail.gmail.com> <5690c5b2-65ab-55d4-b3ec-d06d82ebbb26@riseup.net> <7F06A457-58C6-47A0-BDCA-D25FF0C6C062@icann.org>
From: nusenu <nusenu-lists@riseup.net>
Openpgp: preference=signencrypt
Autocrypt: addr=nusenu-lists@riseup.net; prefer-encrypt=mutual; keydata= xsFNBFj53gUBEADYKwT0pW1yiqt6UReZW8T2nXVCyeVT2G6z7AvW69afp82uthRH237pQ7Qs 5vq91DivN6fGN6cVksp0N9Yv+5HEQAwUxpLfcNDcGzmHMd0JMItEtozGv3a4FuiUoHAqeGXM 6Kzi3v5F2PZGF+U4QaGKEZq6u50gO/ZFy4GfC9z9tsO6Cm7s7KldVHMGx/a0MEGMwh6ZI9x2 hGXSSAKu58KRUkEpHzDiQTj+/j58ndNfZRQv6P5BLppHADRPqwEOm4RQcQYskyM0FdKXbJ8E 5GW268meflfv2BASsl3X/Xqxp+LNrstXIbFZ+38hVlQDDmdvaASpPTzIAxf8FxMYZqI+K1UE kP5nU45q84KiZoXwT6YYJDKToLSDnYkKlsrCSnLkE3Nb/IexgNoYO4nE6lT9BDV3athQCWw1 FwB5idRYWnIqbVgUFgYZDUdZBJmeTEeI+Wn5hFz6HvFVc/+haMVTcoEKSkG/tsSGsKOc2mp6 z+71io9JWrVQGmw7OeZeE4TvkF9GhwS8jrKO4E0crfcT/zT6368PZCO6Wpir8+po/ZfOWbbh 1hi3MxmXn4Fki55Zrvhy3sf28U+H/nByQV4CssYv/xVhIZsN/wNQLcDLgVs4JTBUik8eQR0Y Qrq9lG3ZVtbpEi7ZTJ6BOGIn2TKHsVIVGSQA0PdKpKYV45Lc4QARAQABzSBudXNlbnUgPG51 c2VudS1saXN0c0ByaXNldXAubmV0PsLBfQQTAQgAJwUCWPneBQIbAwUJBaOagAULCQgHAgYV CAkKCwIEFgIDAQIeAQIXgAAKCRCtYTjCRc1Cfq/kD/sHx+mnL6OLwJvBj1rVTyoHJYJARajz Go0yRlbrZSH6Z05OD3SDR9UVpWOZeY8JyFoTyCFQjAbIVjKifj0uSmi0j1iahrAgGGfik0cN XUkCxrW6jcJQ37EbvYWu4PryqLuC7IeQW1wCcB1ioyGYKkm2K6LZ9rzZPVYSmPohJ+gVI0Jt EdlNZl4JuZot9eA5w/22uvcStQHzXDsUxfqK8OAJpU8E3iBBdNpLPMDWpFz4g2yw5PD6jZ+K Q39PYMUFULaKe4YCw1O+0MFhZJI4KEcRYHuVy1b3cJjxzgVfEyFctLDsO1sh07vBhoVKUi8W e00pvGtv8QYxxMYIA3iACbsjGEr69GvvZ2pAnu9vT9OUCaES4riDCxbkMxK/Cbwk8F6mo0eq HDQ7sOZWQv81ncdG9ovlA7Pj96cEXgdtbbllF1aUZ8sAmT14YjGzhArGv7kyJ1imH5tX3OXk hBGA9JTk2mDNjEpFaTEajSvDiKyeEhWNTLm15siWkpg1124yjUkhQ3OCkw7aUDMiVn8+DQHo J2pP/84uUvngbhm1jV7nk8mxTUFgppUePkb5hhnRRzeK72QY00EwRdn7qnpNgijMJ3Fpjfy2 EeCEl3nNdcB7U0F+0ijA6P/+DROldxNr4eiP50RvV8XiW/yi2IkKBk50GNB87yYnDETxxx/c 2i00AM7BTQRY+d4FARAAwJZ6U7UT8uB1WCfLK3AOR1Wa9bzOAghlTR4WXbHB4ajQKG7/Fzud 99bnwD0V3/AOVz/SbGDyHe+7HMvd1A0Ll4NgyH6OpxY7wOwCXAYTAbcXLpM7eKTjjsb9A9XG 3FcIGvjcy76OkaewqhiABaShlStEYcPkRusHZuecXtCnfCjJKihU/kinWpBO9gY6SrF2KFCw aeS4r37brXQ9y8uy3gZ168QFuIa5AKfL0r5YN3k4StNSA2p5Z/pufWXMN3B03QC+3fireiz3 dinlHK6XjUW8oWSdNxJhexT/lUw+episNuWTQruy7PD+HeohYGXqjggmPUiWc171Sewb2f8H CHViHMee8QXqo/LSRkYVrtsx0HUSMKsVQOma/u2By03ucroIkQJQQfqX3YpK1i3EpUO2L0/m E8UpBvUm1vrst54EFym4tYNJTj9reVffFKh2cczmPVN5o8v3RrdTF96mGtcb9EJbGV4277ZE LqUspviEBXynqU3yZ48JhIWHj22/ha6TeBpapYZDOJ8lePed8E34J/GYE2YXl65LhpXAKvWz O3KiByGMysb9Li6zqZ9/BYQtg5CA6Q8Oo7pBxK4iiDH3GX2WvymmLoaOBpOaIYdvKr39fajE mzfbg7TdZKXxqp2KDrbw7vUJLDyrmPWpxHyhKHItzoi1Y59wzYSq3h0AEQEAAcLBZQQYAQgA DwUCWPneBQIbDAUJBaOagAAKCRCtYTjCRc1CfpfgEAC3tXZzhgKbF6fx5gMNDp/9MBpialvu k69UaGL3HUqM0/ytiT4FjYUmOK2mk37iop46GivsOC50PykG9gjbg9/QKUqgsZzJ8LJ+ldY4 /GKtiP5JoO59Obj8MJJ5Ta8yPfZiiNx/I8ydqd18E4PmQUCPlEKhett81t3+8R/mGwG72TaA hHwDjZAEjiXdnXh+z0AKpflCnYQafq0V73ofzuw4KovpJWMk/WPs5oSHhuV4TZ8nRkF6BR4y rEvs1kq8Y6DuNqQGwY3yilpnmqfMzzlWo7MlY657domU54bhGOsvNuZZsFDlcBczQo6h9OKq ckkVHUMAw38pX+EghzEfhYVWYmLNv5G9TA/M2s3frO3aN7ukNDq7CKIwfVz71/VfPaLQMY7/ jirzp9yIBZEi4E+PwP38FAGiD+nxzuUJv1rvxf6koqUGoHRvdppju2JLrC2nKW0La7RX7uZJ esCVkamT/XaXPROBTrZZqwbIXh2uSMzgXkC2mE1dsBf2rdsJ4y73+0DYq7YE52OV9MNoCYLH vpkapmD00svsP4sskRsrquPHkBBVCJa22lTaS8Oow9hGQe7BDjEhsVoPol889F0mbTRb3klv mGQ6/B/HA0pGWR9wISY8a7D40/qz6eE6+Yg22mtN1T8FFlNbyVmtBj0R/2HfJYhGBElLPefH jhF0TA==
Message-ID: <2f1c705b-d383-60ce-e223-da7ed3c0defd@riseup.net>
Date: Sat, 16 Mar 2019 20:58:00 +0000
MIME-Version: 1.0
In-Reply-To: <7F06A457-58C6-47A0-BDCA-D25FF0C6C062@icann.org>
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="uiFKgLH3dXl0zcXTlv0BvsufCxjpUCfhW"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/295yrI72xt0eSnYueiOuqVpSj4s>
Subject: Re: [Doh] [Ext] Reviewing Resolver-Associated DOH
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Mar 2019 20:58:50 -0000

A general question before some more comments:

If the application supports the discovery mechanism in this
I-D _and_ has an option where the user can explicitly set
a DoH URI (like current Firefox has), in that case 
the DoH URIs discovered via this protocol MUST NOT override
the user's choice, correct?
(since some of the discovery mechanisms
in the current draft use unauthenticated data).

the text could be something like:

"If the DoH client has a DoH URI configured already, 
it MUST NOT override the DoH URI learned through the discovery
mechanisms in this document."


> 3.  DoH Servers from DNS
> 
>    To find the URI templates for DoH servers associated with a resolver,
>    a browser sends that resolver a query for "resolver-associated-
>    doh.arpa" 

I believe this specific discovery mechanism 
introduces a new attack opportunity that is not there
today.

Imagine a client having statically configured his operating system for Do53
via 8.8.8.8 (DNS options in DHCP are ignored on the client)
and imagine an attacker being in the temporary position between the user
and 8.8.8.8 (i.e. an internet cafe).

Under these circumstances "DoH Servers from DNS" allows an attacker 
to persistently set a victims DoH server URI. 
Which gives the attacker access to the victims DNS traffic and allows him
to feed the DoH client arbitrary responses even after the 
victim is out of his reach (i.e. user left the internet cafe). 
There is also no chance the victim could check
the integrity of TXT records via DNSSEC because they will never be signed.

The same attack vector also applies if the user uses Do53 via 10.0.0.1
and the attacker sits between 10.0.0.1 and 8.8.8.8 (the upstream resolver of 10.0.0.1).

Same attack vector applies to section 4 (Resolver Addresses from DNS).

>    A client MUST re-issue the queries in "DoH Servers from DNS" and
>    "Resolver Addresses from DNS" every time the configured resolver in
>    the operating system changes.

This would break the persistence of the attack but does not help if the user
statically configured his resolver (ignoring DNS options in DHCP) or the internet cafe
is using the same resolver as the victim's home network (i.e. 8.8.8.8).

To avoid introducing this new attack vector and to prevent downgrade
attacks from section 2 to less safe option 3 I would suggest
to stick to the safest option in the current I-D (DoH Servers from HTTPS)
and drop the less safe options or at least add the following 
3 parts to reduce the impact (persistence) of the attack and
to make it clear to implementer and operators that they MUST 
do/provide the option described in section 2 before doing
section 3:

1)
extend: 

> A client MUST re-issue the queries in "DoH Servers from DNS" and
> "Resolver Addresses from DNS" every time the configured resolver in
> the operating system changes 

with:

or whenever the client's IP address changes
(even if the resolver does not change). 

2)
extend:

>    If the array of URI templates returned is empty, that indicates that
>    the resolver does not have any DoH servers associated with it.

with:

>    **DoH clients MUST NOT attempt to find DoH servers via the mechanism 
>    defined in section 3 in that case.**

3)

extend section 8 with something like:
"The mechanism in section 2 is the safest and MUST be attempted first."


You could also consider some downgrade attack protections where the attacker
simply blocks 443 to force the unauthenticated mechanism in section 3.

Such a protection could be implemented via an additional field in the JSON file
by borrowing max-age from HSTS.
https://tools.ietf.org/html/rfc6797#section-6.1.1


>    The returned JSON object [RFC8259] MUST contain a member whose name
>    is "associated-resolvers" and whose value is a JSON array.  The array
>    contains zero or more JSON strings, each of which is a single URI
>    template.


It would be great if the JSON format would specify an optional description
field. The description could then be displayed in the application UI. This would allow
the operators to provide multiple profiles that can be selected by the user.
If multiple URIs are defined the DoH client must use the first one
by default if the user didn't choose one explicitly (if DoH is used by default).

such a JSON file could look like:

{
  "associated-resolvers": [
    {
      "uri": "https://doh.example.com/dns-query",
      "description": "Non-filtering and DNSSEC-validating resolver"
    },
    {
      "uri": "https://doh.example.com/dns-query-filtering",
      "description": "DNSSEC-validating resolver filtering known malware domains"
    }
  ]
}

>> I find these suggested .well-known URLs clearer than
>> "doh-servers-associated".
> 
> I'm generally against this idea for two reasons:
> 
> - No one will see this URL other than software developers and
> operators watching their logs. They will not be visible to users.

It is probably not so important how the url/file is called in the end
but having a speaking name with "dns-over-https-..." in its name
would be clearer than just doh-.. even if only operators have to place
the file on their servers and no end user will ever see that URL.

thanks for working on this!
nusenu

-- 
https://twitter.com/nusenu_
https://mastodon.social/@nusenu

v2.8.7 | Report a Bug | By Email