Re: [Doh] more generally on resolver-associated-doh.arpa and resolver-associated-doh.arpa

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 26 March 2019 13:35 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E755D120160 for <doh@ietfa.amsl.com>; Tue, 26 Mar 2019 06:35:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AtRHDG00ckiW for <doh@ietfa.amsl.com>; Tue, 26 Mar 2019 06:35:20 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBF691203D3 for <doh@ietf.org>; Tue, 26 Mar 2019 06:35:08 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 3B975BEFE; Tue, 26 Mar 2019 13:35:04 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NnBRHtYKzj4t; Tue, 26 Mar 2019 13:35:02 +0000 (GMT)
Received: from [31.133.128.194] (dhcp-80c2.meeting.ietf.org [31.133.128.194]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id A0E96BEFA; Tue, 26 Mar 2019 13:35:01 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1553607302; bh=HoVVEmJWQupqnRkzILbL8ZqPWLZfnnvJnpdFTOaShTc=; h=Subject:To:References:From:Date:In-Reply-To:From; b=Yh93eCZaz1IQANooOgdC0GxLjicNUwpd6xdn97UEKIT3+O2ORPoFuxqRIXJRgHeyg fgRMK1xIUhnVY1ZtDeO6K1stSJaFnvXHPP2qjxdXTGDXXheNB0JHQbjJDvoTM/NoOS R+jNbmIeXVziJXNTNqhJBLaaf5VhhppkPTnqp59k=
To: Joe Abley <jabley@hopcount.ca>, DoH WG <doh@ietf.org>
References: <E064E7E9-0E00-4B3E-8841-59EB40B4EEDD@hopcount.ca> <4D942FED-E2F3-4A78-A1C5-3F72E013BF69@hopcount.ca>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=5BB5A6EA5765D2C5863CAE275AB2FAF17B172BEA; url=
Autocrypt: addr=stephen.farrell@cs.tcd.ie; prefer-encrypt=mutual; keydata= mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh 5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+ QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKr EMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZU bUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqO Vz+7L+WiVfxLbeVqBwV+4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJg b097ZaNyuY1ETghVB5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k 4LyM2lp5FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5Xi HzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQABtDJTdGVwaGVuIEZh cnJlbGwgKDIwMTcpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJ CZQmAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1ywaps8HGUN hLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG+48od+Xn7qg6LT7G rHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXkkTFaSGYJj3yIP4R6IgwBYGMz DXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRrpZtXB1XQc23ZZmrlTkl2HaThL6w3YKdi Ti1NbuMeOxZqtXcUshII45sANm4HuWNTiRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS 3MmGgVS4ZoX8+VaPGpXdQVFyBMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml 3OEuIQiP2ehRt/HVLMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi 2/Jrsz6Mzh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6TzKjGjru q8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxLkCDQRaPVAyARAA+g3R0HzGr/Dl34Y07XqGqzq5 SU0nXIu9u8Ynsxj7gR5qb3HgUWYEWrHW2jHOByXnvkffucf5yzwrsvw8Q8iI8CFHiTYHPpey 4yPVn6R0w/FOMcY70eTIu/k6EEFDlDbs09DtKcrsT9bmN0XoRxITlXwWTufYqUnmS+YkAuk+ TLCtUin7OdaS2uU6Ata3PLQSeM2ZsUQMmYmHPwB9rmf+q2I005AJ9Q1SPQ2KNg/8xOGxo13S VuaSqYRQdpV93RuCOzg4vuXtR+gP0KQrus/P2ZCEPvU9cXF/2MIhXgOz207lv3iE2zGyNXld /n8spvWk+0bH5Zqd9Wcba/rGcBhmX9NKKDARZqjkv/zVEP1X97w1HsNYeUFNcg2lk9zQKb4v l1jx/Uz8ukzH2QNhU4R39dbF/4AwWuSVkGW6bTxHJqGs6YimbfdQqxTzmqFwz3JP0OtXX5q/ 6D4pHwcmJwEiDNzsBLl6skPSQ0Xyq3pua/qAP8MVm+YxCxJQITqZ8qjDLzoe7s9X6FLLC/DA L9kxl5saVSfDbuI3usH/emdtn0NA9/M7nfgih92zD92sl1yQXHT6BDa8xW1j+RU4P+E0wyd7 zgB2UeYgrp2IIcfG+xX2uFG5MJQ/nYfBoiALb0+dQHNHDtFnNGY3Oe8z1M9c5aDG3/s29QbJ +w7hEKKo9YMAEQEAAYkCJQQYAQgADwUCWj1QMgIbDAUJCZQmAAAKCRBasvrxexcr6qwvD/9b Rek3kfN8Q+jGrKl8qwY8HC5s4mhdDJZI/JP2FImf5J2+d5/e8UJ4fcsT79E0/FqX3Z9wZr6h sofPqLh1/YzDsYkZDHTYSGrlWGP/I5kXwUmFnBZHzM3WGrL3S7ZmCYMdudhykxXXjq7M6Do1 oxM8JofrXGtwBTLv5wfvvygJouVCVe87Ge7mCeY5vey1eUi4zSSF1zPpR6gg64w2g4TXM5qt SwkZVOv1g475LsGlYWRuJV8TA67yp1zJI7HkNqCo8KyHX0DPOh9c+Sd9ZX4aqKfqH9HIpnCL AYEgj7vofeix7gM3kQQmwynqq32bQGQBrKJEYp2vfeO30VsVx4dzuuiC5lyjUccVmw5D72J0 FlGrfEm0kw6D1qwyBg0SAMqamKN6XDdjhNAtXIaoA2UMZK/vZGGUKbqTgDdk0fnzOyb2zvXK CiPFKqIPAqKaDHg0JHdGI3KpQdRNLLzgx083EqEc6IAwWA6jSz+6lZDV6XDgF0lYqAYIkg3+ 6OUXUv6plMlwSHquiOc/MQXHfgUP5//Ra5JuiuyCj954FD+MBKIj8eWROfnzyEnBplVHGSDI ZLzL3pvV14dcsoajdeIH45i8DxnVm64BvEFHtLNlnliMrLOrk4shfmWyUqNlzilXN2BTFVFH 4MrnagFdcFnWYp1JPh96ZKjiqBwMv/H0kw==
Message-ID: <6e72bf38-16b8-6c4f-b842-f3fd64c02e37@cs.tcd.ie>
Date: Tue, 26 Mar 2019 13:34:59 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1
MIME-Version: 1.0
In-Reply-To: <4D942FED-E2F3-4A78-A1C5-3F72E013BF69@hopcount.ca>
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="ZTxeMZowhiAkJba8vYxCCtQPb5mNo8xQL"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/YYOOqxnG6PhrR_fnVgvhNJ3mNVY>
Subject: Re: [Doh] more generally on resolver-associated-doh.arpa and resolver-associated-doh.arpa
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 13:35:24 -0000


On 26/03/2019 13:25, Joe Abley wrote:
> Hi again,
> 
> I think my concerns about the "DoH Servers from DNS" mechanism  are
> wider than those about the blackhole suggestion that I mentioned
> earlier.
> 
> The  "DoH Servers from DNS" mechanism in general involves the
> retrieval of security-critical information for an end-user's
> application environment from the DNS in a way that necessarily
> precludes integrity protection by DNSSEC. A polluted cache, a
> compromised upstream forwarder or resolver, a man in the middle or
> just the accidental inheritance of a non-malicious upstream policy
> can divert all end-user resolver traffic to an unexpected location
> where the response policy is unknown.\
> 
> This is worse than DNSChanger or attacks on local DHCP infrastructure
> to divert resolver traffic since it has the potential to affect
> larger communities of end-users without the hurdle of local network
> or end-host compromise.
> 
> Any network that doesn't provision these domains on their local
> resolvers is hence vulnerable. 

If that is likely (and I'd suspect, but don't know, that it may be)
then there's also a privacy leak - devices will make these requests
at boot time and/or application start time. That may or may not be
worse than the status-quo ante though, so is hard to evaluate. That
said, a more localised mechanism (if one exists) could be better
in both respects.

S

> If successful the impact of such an
> attack would be difficult to assess by the network operator since of
> course the query traffic is at that point obscured, being carried as
> DoH.
> 
> Architecturally, I think this mechanism is vulnerable by default,
> which is a poor security posture. It's a challenge to detect the
> attack and it's also challenging to defend against (e.g. in the case
> that an end-user doesn't start the discovery from a local resolver).
> 
> 
> Joe
> 
> On 26 Mar 2019, at 12:17, Joe Abley <jabley@hopcount.ca> wrote:
> 
>> Hi all,
>> 
>> There was a suggestion at the microphone this morning in the Grand
>> Ballroom that the resolver-associated-doh.arpa and
>> resolver-associated-doh.arpa domains be "blackholed". The draft
>> currently specifies that these MUST NOT be delegated from ARPA.
>> 
>> The microphone queue was already cut off before I could ask more
>> about what this means, but I think it's worth reminding the wg what
>> blackhole generally means in this context of DNS names in and near
>> ARPA, and how it can be implemented, since I think there is a
>> security concern.
>> 
>> RFC 7534 provides two mechanisms to blackhole DNS traffic: one uses
>> DNAME (see RFC 7535) and the other uses a zone cut. The DNAME
>> approach is technically compatible with the MUST NOT in the draft
>> (since it's technically not a delegation but rather a redirection)
>> but the direct delegation mechanism is not.
>> 
>> In both cases, however, blackholing these domains would point their
>> DNS resolution away from the authoritative servers that serve ARPA
>> towards a loosely-coordinated set of AS112 servers.
>> 
>> Anybody can operate an AS112 server; in fact, operators have in the
>> past been actively encouraged to operate AS112 servers without any
>> requirement for coordination. This has been considered a reasonable
>> approach so long as the query data being sent to AS112 servers is
>> recognised to be junk that only leaks by accident; since it's
>> generally private network PTR query traffic the potential for
>> exploitation by bad actors (malicious AS112 node operators) is
>> arguably low.
>> 
>> However, in the case of these doh resolver domains, there is the
>> potential for a bad actor to respond with an unauthorised list of
>> DoH URIs and steal the resolver traffic of a large array of
>> end-users whose local (or configured) resolvers don't implement the
>> mechanisms described in this draft. This would be a bit like DNS
>> changer, but without the need to infect individual end-hosts..
>> 
>> I think this a problem.
>> 
>> I think (in contrast to the thought at the microphone) if we
>> mention blackholing at all it ought to be of the form "don't ever
>> do this because it would be bad for the following reasons".
>> 
>> 
>> Joe
> 
> 
> 
> _______________________________________________ Doh mailing list 
> Doh@ietf.org https://www.ietf.org/mailman/listinfo/doh
>