Re: [Doh] DOH and Induced DNS

Adam Roach <adam@nostrum.com> Mon, 06 November 2017 18:21 UTC

Return-Path: <adam@nostrum.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E542A13FC62 for <doh@ietfa.amsl.com>; Mon, 6 Nov 2017 10:21:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.88
X-Spam-Level:
X-Spam-Status: No, score=-1.88 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B2ona5reabjw for <doh@ietfa.amsl.com>; Mon, 6 Nov 2017 10:21:40 -0800 (PST)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3F8313FADC for <doh@ietf.org>; Mon, 6 Nov 2017 10:21:40 -0800 (PST)
Received: from Svantevit.local (99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id vA6ILcgm007417 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 6 Nov 2017 12:21:39 -0600 (CST) (envelope-from adam@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host 99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228] claimed to be Svantevit.local
To: dagon <dagon@sudo.sh>, doh@ietf.org
References: <20171106170750.GA24665@sudo.sh>
From: Adam Roach <adam@nostrum.com>
Message-ID: <4f7a2ff7-494d-04f5-6aec-bff8cfa12d40@nostrum.com>
Date: Mon, 6 Nov 2017 12:21:33 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <20171106170750.GA24665@sudo.sh>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/AcHtZZSvD1KoiDK3YoLZ-CLnJZs>
Subject: Re: [Doh] DOH and Induced DNS
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2017 18:21:42 -0000

On 11/6/17 11:07 AM, dagon wrote:
> I might have missed something in the draft, but I worry about a misuse
> of the DOH protocol.  To my knowledge, there exists no practical means
> (outside of Flash, java applets, and special, limited DNS prefetch
> circumstances) for web sites to provoke third-party clients into
> performing mass (million+) DNS queries.  Indeed, for this reason,
> projects such as the ICSI Netalyzr resort to signed applets, which
> users must inspect and intentionally approve.  Outside of these
> limited and off-by-default cases, HTML visits can't generate arbitrary
> volumes of DNS queries. A handful, yes, but not DoS-levels.
>
> But depending on how the DOH stubs are implemented, DNS traffic could
> be induced through trivially crafted javascript.  For example, if
> GET/POST primitives are all that's needed, javascript and 'document
> write' calls can generate random child label queries towards a target
> zone, e.g. repeated GETs for the encoding of "${UNIX_EPOCH}.\
> victimzone.example.com". Instead of doing a handful of DNS lookups
> (mostly prefetch), a web visitor could perform thousands or millions
> of queries.

So you mean something equivalent to:

var date = new Date();
while (1) {
   var img = document.createElement('image');
   img.src = date.getTime() + date.getMilliseconds() + 
".victimzone.example.com";
   document.body.appendChild(img);
}

It's not clear that you're describing something new.

(It's also worth noting that, in the scenario you're describing, the 
victim DOH server would have to opt-in to allowing the attacking site to 
query it, unlike the script above. See [1] and [2] for background)

/a

____
[1] https://en.wikipedia.org/wiki/Same-origin_policy
[2] https://en.wikipedia.org/wiki/Cross-origin_resource_sharing