Re: [Doh] DOH and Induced DNS

[Adam Roach <adam@nostrum.com>]

On 11/6/17 11:07 AM, dagon wrote:
> I might have missed something in the draft, but I worry about a misuse
> of the DOH protocol.  To my knowledge, there exists no practical means
> (outside of Flash, java applets, and special, limited DNS prefetch
> circumstances) for web sites to provoke third-party clients into
> performing mass (million+) DNS queries.  Indeed, for this reason,
> projects such as the ICSI Netalyzr resort to signed applets, which
> users must inspect and intentionally approve.  Outside of these
> limited and off-by-default cases, HTML visits can't generate arbitrary
> volumes of DNS queries. A handful, yes, but not DoS-levels.
>
> But depending on how the DOH stubs are implemented, DNS traffic could
> be induced through trivially crafted javascript.  For example, if
> GET/POST primitives are all that's needed, javascript and 'document
> write' calls can generate random child label queries towards a target
> zone, e.g. repeated GETs for the encoding of "${UNIX_EPOCH}.\
> victimzone.example.com". Instead of doing a handful of DNS lookups
> (mostly prefetch), a web visitor could perform thousands or millions
> of queries.

So you mean something equivalent to:

var date = new Date();
while (1) {
   var img = document.createElement('image');
   img.src = date.getTime() + date.getMilliseconds() + 
".victimzone.example.com";
   document.body.appendChild(img);
}

It's not clear that you're describing something new.

(It's also worth noting that, in the scenario you're describing, the 
victim DOH server would have to opt-in to allowing the attacking site to 
query it, unlike the script above. See [1] and [2] for background)

/a

____
[1] https://en.wikipedia.org/wiki/Same-origin_policy
[2] https://en.wikipedia.org/wiki/Cross-origin_resource_sharing